Why setuid binary?

[jirutka]

Why is /usr/bin/system76-scheduler installed as a setuid binary (chmod 04755)? It runs as a system service under root, doesn’t it?

Is it possible to run it as a non-privileged user (without setuid ofc)? Also, what linux capabilities does it actually need?

[mmstick]

It only requires to be run as root by systemd

[jirutka]

Can you please elaborate a little more on that and answer the setuid question?

[mmstick]

Not much to add. It requires root because the daemon adjusts processes of all users, and some of which is setting a higher priority than permitted by the non-root user.

[jirutka]

Okay, but why is it installed with setuid bit? This has serious security implications, it allows any user to run system76-scheduler with root privileges.

[jackpot51]

I agree with @jirutka it should not be setuid

[jackpot51]

@jirutka how do you have it installed? On my Pop!_OS install it is not setuid

[jackpot51]

$ ls -lah /usr/bin/system76-scheduler
-rwxr-xr-x 1 root root 5.7M Jun  7 03:43 /usr/bin/system76-scheduler

[jirutka]

justfile:41:

install -Dm04755 target/{{target}}/{{binary}} {{target_bin}}

[jackpot51]

@mmstick please make a PR to use 0755 as the mode