(This question 具有相同的标题,但问题正文是从脚本的角度提出的,例如 su -c,不要将其误认为是)
我有一个 Qt GUI 应用程序,需要根据用户输入在/etc 中执行一些文件操作。一种选择可能是将 system() 与 sudo 一起使用,但即便如此,在某些时候也需要弄乱 sudoers 文件。我也不想做 system() 加上脚本 hack 来修改文件,而是正确的文件操作。
以编程方式提升我的应用程序权限以执行此操作的最佳方法是什么?
编辑:作为奖励,如果它也能在 Maemo/Meego/其他手持设备上工作就太好了(afaik PolicyKit 在那里不可用..)
最佳答案
我会完全编写一个单独的程序。类似这 philosophy 的内容.基本上 - 编写一个简单的程序来完全满足您的需要,并通过文件系统上的文件权限控制其行为。主要是,
Do as little as possible in setuid programs.
A setuid program must operate in a very dangerous environment: a user is under complete control of its fds, args, environ, cwd, tty, rlimits, timers, signals, and more. Even worse, the list of controlled items varies from one vendor's UNIX to the next, so it is very difficult to write portable code that cleans up everything.
Of the twenty most recent sendmail security holes, eleven worked only because the entire sendmail system is setuid.
Only one qmail program is setuid: qmail-queue. Its only purpose is to add a new mail message to the outgoing queue.
还有,
Do as little as possible as root.
The entire sendmail system runs as root, so there's no way that its mistakes can be caught by the operating system's built-in protections. In contrast, only two qmail programs, qmail-start and qmail-lspawn, run as root.
关于linux - 在 Linux 中以编程方式请求提升权限,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/3726460/