suidexec (poor man's sudo)

This is kind of poor man’s SUDO, and you should think about using SUDO instead.

suidexec allows a low privileged user to run commands being other user. It works very well with your web server already running as a www-data (for example) willing to execute a fastcgi service as a different user.

ACL

suidexec loads /etc/suidexec.conf and uses it to check if the invoking user is allowed to run the program and what commands are permitted.

# the configuration group with the same name of the suid instance
[conf_group]
# allowed commands (semicolon separated list)
commands = /path/command1;/path/command2
# set every allowed user to true
user = true

Example

Run fast-cgi from a www-data process as nobody user.

1. $ cp suidexec suidexec_nobody
2. # chown nobody:nobody suidexec_nobody
3. # chmod +s suidexec_nobody
4. Edit /etc/suidexec.conf to allow the command execution:

# the configuration group with the same name of the suid instance
[suidexec_nobody]
# allowed commands (semicolon separated list)
commands = /path/to/fast-cgi
# set every allowed user to true
www-data = true

5. Configure your www-data process:

suidexec_nobody /path/to/fast-cgi -- fast_cgi_arguments

Note: # prompt implies root permissions.

Download

The tool requires glib2, and can be compiled with:

$ gcc -O2 -s `pkg-config --cflags --libs glib-2.0` suidexec.c -o suidexec

suidexec.c version 0.1