How do I sudo the current process?

Question

Is it possible to use a sudo frontend (like gksudo) to elevate the privileges of the current process? I know I can do the following:

sudo cat /etc/passwd-

But I'm interested in doing this:

sudo-become-root # magic function/command
cat /etc/passwd-

I'm writing in Python. My usecase is that I have a program that runs as the user, but may encounter files to read/write that are root-owned. I'd like to prompt for password, gain root privileges, do what I need, and then optionally drop privileges again.

I know I could separate admin logic and non-admin logic into separate processes, and then just run the admin process as root (with some communication -- policykit/dbus would be a good fit here). But I was hoping for a much simpler (though admittedly more risky) solution.

I'm thinking something like running Solaris's ppriv through sudo to then modify the current process's privileges. Which seems like a hacky-but-workable roundtrip. But as far as I know, linux doesn't offer ppriv.

(I'm surprised this isn't obvious already; it seems like a not-uncommon thing to want and doesn't seem to be a security hole to allow escalation in-process over escalation of a new process.)

Answer 1

Aptitude has a "become root" option. You may wish to see what the author did there.

Answer 2

Unfortunately, I'm not aware of a way to do what you want to do cleanly. I think your best bet is to make the program setuid (or run it under sudo) and then either do your dirty work and drop permissions, or fork() and drop permissions from one process and keep the other one around to do your root work.

What you're looking for are the setuid(2) / setreuid(2) / setregid(2) / setgroups(2) calls, but they are all hard wired to not allow you to gain privileges mid-invocation. You can only use them to "give away" privileges, as far as I know.

Answer 3

If you want to deal cleanly with administrative rights inside a program, you might want to use PolicyKit rather than sudo, depending on the OS you plan to run your program on.

For PolicyKit for Python, see python-slip.

Otherwise, there are two ways to call sudo to become root:

sudo -s

will make you root and keep your current environment (equivalent to sudo su)

sudo -i

will make you root and give you root's environment, too (equivalent to sudo su -)

Another way of dealing with the problem is to consider that you have the rights you need, and let the user of the program choose how to give the rights to your program (using sudo/setuid/unix groups/whatever else).

See also this question on ServerFault on the same subject.