Search code examples
clinuxsqliteelevated-privileges

Raise privileges to open a sqlite3 root database on Linux - C programming


I'm creating a Linux software that will have two types of databases:

  1. Public: stores information that anyone on my_program_group has access (without root privileges);
  2. Private: only users with sudo access can open (common users on my_program_group can't). It also means that the database file is owned by root.

The first kind of the database is working fine.

The problem is: my program doesn't need to be run with sudo; so, if at some point a common user needs to open a private database, he will need to access root privileges (raise privileges). I don't want to ask restarting the execution with sudo, instead, just request for password.

#include <sqlite3.h>
#include <stdio.h>

// Private database path
#define PATH = "/tmp/test/database.db"

void private_db(sqlite3 **db);

int main() {
    sqlite3 *db;
    
    // When the user needs to open the private database, this function will be called:
    private_db(&db);
    
    // Continue...

    return 0;
}

void private_db(sqlite3 **db){
    int rc;

    // NEED TO RUN THIS AS ROOT:
    rc = sqlite3_open(PATH, db);
    if(rc  != SQLITE_OK) {
        fprintf(stderr, "Can't open database: %s\n", sqlite3_errmsg( &(**db) ));
        exit (1);
    } else {
        printf("Database successfully openend\n");
    }
}

(As expected) If I run the code above, sqlite won't be able to open the database because of the system permissions.


Solution

  • I revised a new code for you. Hoping it is helpful.

    Create a new file named db_helper.c and add the following code:

    #include <unistd.h>
    #include <stdio.h>
    #include <sys/types.h>
    #include <sys/stat.h>
    #include <fcntl.h>
    
    #define PATH "/tmp/test/database.db"
    
    int main() {
        int fd = open(PATH, O_RDWR);
        if (fd < 0) {
            perror("Can't open database");
            return 1;
        }
        printf("Database successfully opened\n");
        printf("Database file descriptor: %d\n", fd);
    
        // Pass the opened file descriptor to the parent process
        // Here, we use file descriptor number 3 for passing to the parent
        dup2(fd, 3);
        close(fd);
    
        return 0;
    }
    

    Compile the db_helper.c file, change the owner to root, and set the setuid bit:

    gcc -o db_helper db_helper.c
    sudo chown root:root db_helper
    sudo chmod 4750 db_helper
    

    Update your main program to use the helper program for opening the private

    database:
    #include <sqlite3.h>
    #include <stdio.h>
    #include <unistd.h>
    
    // Private database path
    #define PATH "/tmp/test/database.db"
    #define HELPER_PROGRAM "./db_helper"
    
    void private_db(sqlite3 **db);
    
    int main() {
        sqlite3 *db;
    
        // When the user needs to open the private database, this function will be called:
        private_db(&db);
    
        // Continue...
    
        return 0;
    }
    
    void private_db(sqlite3 **db){
        int rc;
        int fd;
    
        pid_t pid = fork();
        if (pid == 0) {
            // Child process
            execl(HELPER_PROGRAM, HELPER_PROGRAM, NULL);
            perror("execl");
            exit(1);
        } else if (pid > 0) {
            // Parent process
            wait(NULL);
        } else {
            perror("fork");
            exit(1);
        }
    
        // Read the file descriptor from the helper program (number 3)
        fd = 3;
    
        // Open the SQLite database using the received file descriptor
        rc = sqlite3_open_v2("db_alias", db, SQLITE_OPEN_READWRITE, NULL);
        if (rc != SQLITE_OK) {
            fprintf(stderr, "Can't open database: %s\n", sqlite3_errmsg(*db));
            exit(1);
        } else {
            printf("Database successfully opened\n");
        }
    }
    

    And compile it:

    gcc -o main main.c -lsqlite3
    ./main