Is it possible to grant a specific privilege to a user without sudo?

I’m not going to add sudo in my Buildroot environment for RPi 3 B+ since I just need apache2 to update my system time with date -s TIME.

Is there a way to grant this permission without installing and configure sudo?

Asked By: Mark

||
Source

I can think of two ways of doing this.

For both you’ll need to write and compile a program that does the work you want (eg calling stime(2)). You can’t just call date directly.

And you’ll need a group that only the user that runs apache2 (www-data ?) is in. In both cases we limit the ability to execute the program to the specified group, so no one else can run it.

Option 1: Make it setuid root

chown root.thegroup yourprogram
chmod 4710 yourprogram

Now only people in the group can execute the program and it runs with effective root.

Option 2: Use capabilities

chown root.thegroup yourprogram
chmod 710 yourprogram
setcap cap_sys_time=pe yourprogram

This grants your program the rights to call settimeofday(2), stime(2) and adjtimex(2) without needing root permissions.

But the sudo solution is the simplest…

Answered By: Stephen Harris
Categories: Answers Tags: , , ,
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.