I'm trying to execute traceroute -d
being authenticated as a "standard" user with sudo
privileges. However if I run sudo traceroute -d
it will be execute by the root
user so I'm wondering how can I execute it as the standard user.
I've tried several ways to make the user basically a super user (aka root) but without success.
The only thing that worked was to change the uid and group id to 0 on /etc/passwd but that changes the user "identity" to "root". E.g. if I run whoami I get "root" instead the "standard" user name.
The reason why i need this is that I have some networking routing based on the –uid-owner and now I'm trying to debug it but it doesn't make sense to run with sudo b/c it would be execute as "root" user which has other routings.
Best Answer
traceroute
need not run asroot
; it just needs the capabilityCAP_NET_ADMIN
. Thus you can set this as file capability for the file and thentraceroute
will always have this capability (for all users, though), if your kernel supports file capabilities and no Linux Security Module (SELinux, AppArmor) is blocking it:While
traceroute
is running you can see its capabilities withpscap
. This does not affect the UID/EUID of the process.I don't know how to do that but AFAIK it is possible, too, to use AppArmor (and probably SELinux) to run a process with certain capabilities. The main task is, of course, to limit the available capabilities.