How do I run a program as nobody?

Question

I want a user-privileged (not root) process to launch new processes as user nobody. I've tried a straight call to setuid that fails with -1 EPERM on Ubuntu 8.04:

#include <sys/types.h>
#include <unistd.h>

int main() { 
       setuid(65534);
       while (1);
       return 0;
}

How should I do this instead?

Answer 1

You will require assistance and a lot of trust from your system administrator. Ordinary users are not able to run the executable of their choice on behalf on other users, period.

She may add your application to /etc/sudoers with proper settings and you'll be able to run it as with sudo -u nobody. This will work for both scripts and binary executables.

Another option is that she will do chown nobody and chmod +s on your binary executable and you'll be able to execute it directly. This task must be repeated each time your executable changes.

This could also work for scripts if you'll create a tiny helper executable which simply does exec("/home/you/bin/your-application"). This executable can be made suid-nobody (see above) and you may freely modify your-application.

Answer 2

As far as I know, you can't unless you're root or have sudo set up to allow you to switch users. Or, you can have your executable have the suid bit set up on it, and have it owned by nobody. But that requires root access too.

Answer 3

The 'nobody' user is still a user. I'm not sure what your reasoning is in having the program run as nobody, it's not going to be adding any additional security. You're more likely to open yourself to other problems.

I'd follow squadette's recommendation of using a helper application.

Answer 4

calife is an alternative to sudo.

Calife is small program that enable a UNIX system administrator to become root (or another user) on his/her machines without giving the root password but his/her own.

Answer 5

I ran across the setuid-sandbox project today while reading LWN, which does what I'm looking for the proper way.