Setting date/time without being root user?

I need to programmatically set the system date and time on a Linux (RedHat) system without being logged in as the root user. How can I do this, without compromising the security of the system?

I've heard of sudo but that seems a little unsafe to me!

Basically it's a small SIL2 network with a radio clock attached via a serial port; I need to read the time of it, update my local logs, set the system time, then broadcast it around the other systems for them to do likewise. All of this is fine - except setting the system time when not a root user!

Cheers
LVL 8
gmayoAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

FrivolousSamCommented:
This is what the setuid flag is for.  For background, look at http://en.wikipedia.org/wiki/Setuid

You can either log in as root and execute:
chmod ug+s `which date`

Or write a script and chmod your script as root to add the suid bit -- just watch out for injection attacks by your users.
0
TintinCommented:
There's nothing wrong or unsafe with sudo providing you define the commands that need to be run correctly.

Why not just setup NTP?
0
gmayoAuthor Commented:
The whole network, albeit small, is mostly "black box" machines running in locked equipment rooms. The few users will be on Windows machines, connected via a secure network protocol. All the systems need to perform logging and for that a reliable time source is required - and the fact that the time has changed needs to be logged. Also, as I said before, it's a SIL2 system. All this is why an NTP server cannot be used.

Setuid looks good. One of my programmers says it's potentially unsafe though - but it might be a case of "you said black, so I'll say white" - his only suggested alternative was to use "chroot jail" which, from first glance, seems to be a wide open invitation to abuse.

So, any issues with setuid I ought to be aware of?

Thanks
0
Cloud Class® Course: CompTIA Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

Duncan RoeSoftware DeveloperCommented:
setuid programs should do as little as possible other than the specific task they are written for. For instance, they can fill a filesystem completely full (regular users are subject to a margin). Otherwise, they're fine.
0
TintinCommented:
Writing a good/safe setuid program is a lot harder than defining a sensible sudo rule.
0
FrivolousSamCommented:
I don't see how setting date as setuid is less safe than allowing any user to run date through sudo -- if there is a security flaw in the date program, you are exposed either way.

As far as I can see, there is only one benefit to allowing sudo for this case - you can restrict which users are allowed to set the date.  If you setuid date then any user can exploit a security flaw, but the choice is yours...  Info on editing sudoers using visudo is here: http://www.gratisoft.us/sudo/man/visudo.html
0
TintinCommented:
Point being is that the code for date (or any other common command) has been around for a very, very long time, so the chance of any exploits in the code are very low compared to writing a setuid program from scratch.

Admittedly, as setting the date is such a simple operation, there's not really that much you can do wrong writing your own program, but it's still possible to write exploitable simple setuid programs.

0
gmayoAuthor Commented:
Ok, bear in mind this is a small, closed system with controlled access in locked rooms. All we want to do is call the date command to set the system date and time. If there is a way to do it programmatically instead of calling a system command, then so much the better - especially if it avoids all this aggro.
0
FrivolousSamCommented:
All you need to do is log in as root, setuid ug+s date and log out.  Then you can call date from any script and you will be able to set the date.

That is the way to solve your problem.  Where is the aggro?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
gmayoAuthor Commented:
Ok, I'll take your word for it. There appear to be two conflicting arguments and I wanted to know the pros and cons of each approach.

Thanks anyway.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux OS Dev

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.