Re: Novice EPICS questions re yet another port

[Eric Norum <norume@aps.anl.gov>]

David Kelly wrote:

> d) Under RedHawk, if a process desires to run with a real-time priority
> (i.e. use a real-time scheduling policy of SCHED_RR or SCHED_FIFO, where the
> real-time priorities range from 99 down to 1 and are all therefore higher
> than the standard Linux SCHED_OTHER timesharing priority of zero), then the
> process must be owned by, or run in the context of, the root user. I could
> do this by logging on as root and MAKEing the code as root. However, I
> prefer to MAKE the project in the context of my normal user login, which
> means that I then need to "chown root XXXX" and "chmod a+s XXXX" all the
> created binary executables so that they run as the root user. I'd like to be
> able to automate the "chown" and "chmod" as part of the build (MAKE)
> process, but I haven't yet figured out how to modify the build environment
> to do this. Can anyone suggest how to do this, or at least where I should be
> looking ?

People are likely going to run afoul of their computer security folks if they say they want to run EPICS applications setuid-root.  I'd like to propose an alternative method of providing the required privileges.  Instead of running the entire application setuid-root, just provide a setuid-root wrapper which sets up the required modes, switches back to the original user, then execs the actual application.  

For example, here's the wrapper I use to open a range of I/O ports so that an EPICS application can perform inb/outb instructions directly from user space.  Your wrapper would just replace the ioperm call with a call to set the required scheduling permissions.

/*
* Open window to Prometheus I/O ports and run
* application as non-privileged user.
*
* Install this executable setuid-root.
*/

/*
* $Id: $
*/

#define PORTBASE    0x280
#define PORTCOUNT   16

#include <stdio.h>
#include <string.h>
#include <errno.h>
#include <unistd.h>
#include <sys/io.h>

int
main (int argc, char **argv)
{
   if (argc < 2) {
       fprintf(stderr, "Usage: %s executable [args ...]\n", argv[0]);
       return 1;
   }

   /*
    * Open the window
    */
   if (ioperm(PORTBASE, PORTCOUNT, 1) != 0) {
       fprintf(stderr, "Can't open access to Prometheus I/O ports: %s\n", strerror(errno));
       return 2;
   }

   /*
    * Relinquish super-user status
    */
   setuid(getuid());

   /*
    * Execute the application
    */
   argv++;
   execv(argv[0], argv);
   fprintf(stderr, "Can't execute %s: %s\n", argv[0], strerror(errno));
   return 3;
}



--
Eric Norum                                 norume@aps.anl.gov
Advanced Photon Source                     Phone: (630) 252-4793
Argonne National Laboratory