Recent

Author Topic: Executing build commands on Linux with elevated permissions  (Read 2313 times)

MarkMLl

  • Hero Member
  • *****
  • Posts: 2562
Executing build commands on Linux with elevated permissions
« on: March 02, 2021, 01:43:29 pm »
There was discussion a few weeks ago where somebody asked how to temporarily give a program root permissions so that it could access a serial port, and the universal response was to run it in the dialout group or something roughly comparable.

I've got a variant of that where I think it is legitimate to ask the Lazarus IDE to run a specific part of a build sequence as root, and I don't see any easy workarounds. Unfortunately, it's getting progressively more difficult to do this.

On Linux, there are some things that explicitly need root access rights, such as creating a socket with port < 1024 or creating a temporary file (e.g. a FIFO endpoint) in /var/run. There's a finer-grain approach available than attempting to run a GUI program setuid root (which is actively prohibited by some widgetsets) or mandating that the user be root when he starts it, which is to use POSIX capabilities to mark the binary as having certain inalienable rights. For obvious reasons, this marking operation needs temporary root privilege.

For the last few versions of Debian, I've been able to set capabilities using something like this at the "execute after ... command" stage:


/bin/sh -c "(kdesudo  -n setcap CAP_DAC_OVERRIDE,CAP_NET_BIND_SERVICE,CAP_NET_RAW=p+e  Watchxxx-$(TargetCPU)-$(TargetOS)-$(LCLWidgetType))"


Those two capabilities allow writing to root-owned directories and allow creation of low-numbered sockets respectively, without running the program as root or attempting to run it setuid root. It is possible- and considered good practice- to relinquish the elevated capabilities as soon as the relevant operations have been completed during startup.

Because this prompts the user for his password as authentication and requires that he is authorised by being a member of the sudoers group etc., it offers far more precise control than trying to run the IDE or the setcap command as root... which is also what would effectively happen if the polkit mechanism were used.

Unfortunately, in order to use kdesudo with the current (Buster, "Stable") version of Debian, one has to copy it from an older one (Stretch, "Old-stable"). This will no longer be possible with the next one (Bullseye, currently "Testing") since the prerequisite library packages no longer exist. I anticipate that this will affect Ubuntu (as a Debian derivative) and other distreaux.

In principle, it should be possible to replace kdesudo with sudo -A -k, but I'm having enormous difficulty getting this to work: it needs an /etc/sudo.conf file which sudo insists contains syntax errors, and so far I've had no success with alternatives like getting xdg-open to run a .desktop file which in principle at least can specify the user it's to run as.

Does anybody have any suggested workaround? The existing situation using kdesudo is one that works well, and I suspect that this is something which is going to be needed increasingly as more runtime environments required signed binaries etc.

Slightly later: I've got sudo -A -k working, the magic appears to be to use a standard text editor to create/modify /etc/sudo.conf and then to use visudo to make a trivial change to the sudoers list which also forces the internal state to be updated. It still feels a bit fragile.

It appears that sudo also has -S and -u options to allow a password to be piped and specify which user is to be run. I suspect that those would be enough to add a general "Run as..." facility for the final build command for unix-type OSes, I seem to recall that some versions of Windows had a "Run as" program as an optional extra which did much the same as sudo.

MarkMLl



« Last Edit: March 02, 2021, 03:13:10 pm by MarkMLl »
Turbo Pascal v1 on CCP/M-86, multitasking with LAN and graphics in 128Kb.
Pet hate: people who boast about the size and sophistication of their computer.
GitHub repositories: https://github.com/MarkMLl?tab=repositories

ASBzone

  • Hero Member
  • *****
  • Posts: 616
  • Automation leads to relaxation...
    • Free Console Utilities for Windows (and a few for Linux) from BrainWaveCC
Re: Executing build commands on Linux with elevated permissions
« Reply #1 on: March 03, 2021, 01:49:01 am »
...I seem to recall that some versions of Windows had a "Run as" program as an optional extra which did much the same as sudo.

MarkMLl

Windows has had a native RUNAS command since Windows 2000, and there have been a few 3rd party versions, too.
-ASB: https://www.BrainWaveCC.com/

Lazarus v2.0.13 r64843 / FPC v3.2.1-r49055 (via FpcUpDeluxe) -- Windows 64-bit install w/Win32 and Linux/Arm cross-compiles
Primary System: Windows 10 Pro x64, Version 2009 (Build 19042)
Other Systems: Windows 10 Pro x64, Version 2009 (Build 19042) or greater

MarkMLl

  • Hero Member
  • *****
  • Posts: 2562
Re: Executing build commands on Linux with elevated permissions
« Reply #2 on: March 04, 2021, 09:13:47 pm »
Windows has had a native RUNAS command since Windows 2000, and there have been a few 3rd party versions, too.

Is there an API that the IDE could feed a password to?

MarkMLl
Turbo Pascal v1 on CCP/M-86, multitasking with LAN and graphics in 128Kb.
Pet hate: people who boast about the size and sophistication of their computer.
GitHub repositories: https://github.com/MarkMLl?tab=repositories

ASBzone

  • Hero Member
  • *****
  • Posts: 616
  • Automation leads to relaxation...
    • Free Console Utilities for Windows (and a few for Linux) from BrainWaveCC
Re: Executing build commands on Linux with elevated permissions
« Reply #3 on: March 09, 2021, 04:51:18 am »
Windows has had a native RUNAS command since Windows 2000, and there have been a few 3rd party versions, too.

Is there an API that the IDE could feed a password to?

MarkMLl

I think these are what you seek  (or should lead you to the right destination):  https://docs.microsoft.com/en-us/windows/win32/secauthn/credentials-management
-ASB: https://www.BrainWaveCC.com/

Lazarus v2.0.13 r64843 / FPC v3.2.1-r49055 (via FpcUpDeluxe) -- Windows 64-bit install w/Win32 and Linux/Arm cross-compiles
Primary System: Windows 10 Pro x64, Version 2009 (Build 19042)
Other Systems: Windows 10 Pro x64, Version 2009 (Build 19042) or greater

MarkMLl

  • Hero Member
  • *****
  • Posts: 2562
Re: Executing build commands on Linux with elevated permissions
« Reply #4 on: March 09, 2021, 08:52:13 am »
I think these are what you seek  (or should lead you to the right destination):  https://docs.microsoft.com/en-us/windows/win32/secauthn/credentials-management

I think this is the important bit:

"These functions request Windows account information to be used instead of the credentials established while logging on. Such requests typically occur when the logon credentials do not have permissions that are required by the application."

So it would in principle be possible to have username and possibly password boxes to change the credentials used for a build step.

MarkMLl
Turbo Pascal v1 on CCP/M-86, multitasking with LAN and graphics in 128Kb.
Pet hate: people who boast about the size and sophistication of their computer.
GitHub repositories: https://github.com/MarkMLl?tab=repositories

MarkMLl

  • Hero Member
  • *****
  • Posts: 2562
Re: Executing build commands on Linux with elevated permissions
« Reply #5 on: March 09, 2021, 05:12:17 pm »
Patch containing the UI elements on Mantis as https://bugs.freepascal.org/view.php?id=38608

I can do a unix backend using sudo, but any help from Windows/Mac users would be appreciated.

MarkMLl
Turbo Pascal v1 on CCP/M-86, multitasking with LAN and graphics in 128Kb.
Pet hate: people who boast about the size and sophistication of their computer.
GitHub repositories: https://github.com/MarkMLl?tab=repositories

 

TinyPortal © 2005-2018