if you don't want to give root to a process how do you write a test that requires root ? :P its a paradox.

If the process doesn't need root, what are you testing that does need it?

@localpost i have to create a test disk image and put file systems and the like on it and mount it after attaching it to a loop device and assigning UUIDs

all these utilities require root.

@AvatarOfKaine suid?

@netikras :P couldn't someone then modify the scrpit and put whatever they wanted in it ? :P

@AvatarOfKaine no idea whats the script.

You can protect it from modification if you are in a ro filesystem

copying its contents and recreating it elsewhere is another problem. I think selinux can deal with that.

Auditd can monitor executions but I don't recall it being able to assert their authorization

@AvatarOfKaine I hate to bring it up, but.. Perhaps setfacl has anything to offer? Never liked it enough to learn ot more than RHCSA required

@AvatarOfKaine You can always do a workaround:

- write a script

- chown root.root

- chmod 0500

- write a dead simple native app that exec's that script and does nothing else

- chown root.root

- chmod 4500 (because SUID doesn't work for scripts, as far as I recall)

- setfacl -m u:myapp_user:rx

and then in your application call that simplified native app instead of calling your script. The proxy app will get bumped to root due to SUID and as a result, the script will get executed as root too.

@netikras the issue is i don't want nodejs to have root perms :P lol

@AvatarOfKaine And it won't. It'll only get root privs for that proxy executable and whatever it runs - nothing more, nothing less. And that's in your control, as long as you chown-root and chmod-4500 it (I.e. protect it from being modified and ran by anyone else).

@netikras o.s.s.

@AvatarOfKaine I don't follow.

@netikras source is being distributed. just want to make it proper.

@netikras I found a way around anyway I just created a shell script that can be read, isn't very long and is run as root to generate a test case.