On Thu, Feb 20, 2020 at 04:11:47PM -0500, Chris Tyler via talk wrote:
Stewart, I'm having troubles understanding the author's reply to the SGID suggestion. What I was proposing was to set things up with a command like this (executed just once):
BINARY=/path/to/binary ; sudo chmod 02711 $BINARY ; sudo chown root:disk $BINARY
...Which would mean that the user would have their effective group ID changed to 'disk' only while the binary was running. This means that, during program execution, it would be have the same level of access as if the user belonged to the 'disk' group; however, this would drop back to their previous group membership when the binary exited. As a bonus, you don't have to change the system group memberships. (The program in question should, of course, guard against writing to the wrong device while it's running, and prevent shell-outs).
It also means any user running the program has that access, not just users in group disk. That may be considered better or worse. I suppose the program could check that the user belongs to some other group meant for this program, but then it gets even more complicated. -- Len Sorensen