Re: setcap and nosuid

[Michael Davidsaver via Tech-talk <tech-talk at aps.anl.gov>]

On 2/2/21 10:49 AM, Siddons, David wrote:
> Well, everything works fine when running as root.

Ah, this is an important data point.  This brings us around to Linux capabilities.
It might be sufficient if you were able to set a file capability of CAP_SYS_RAWIO.

> I am just being encouraged to stop doing that 🙂

Sage advice.  And I should probably stop encouraging you to keep trying with /dev/mem then :)


> Pete.
> 
> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> *From:* Michael Davidsaver <mdavidsaver at gmail.com>
> *Sent:* Tuesday, February 2, 2021 1:48 PM
> *To:* Siddons, David <siddons at bnl.gov>
> *Cc:* EPICS Tech-Talk <tech-talk at aps.anl.gov>
> *Subject:* Re: setcap and nosuid
>  
> On 2/2/21 10:09 AM, Siddons, David wrote:
>> Hi Michael,
>>    Setting 0666 doesn't help.
> 
> Maybe your kernel doesn't have /dev/mem enabled either?
> 
>> $ grep DEVMEM /boot/config-5.9.0-0.bpo.5-amd64 
>> CONFIG_DEVMEM=y
>> CONFIG_ARCH_HAS_DEVMEM_IS_ALLOWED=y
>> CONFIG_STRICT_DEVMEM=y
>> CONFIG_IO_STRICT_DEVMEM=y
> 
> 
> 
>> THanks for the link. I missed that before. It looks like the right way to go. I'll dig into it.
>> 
>> Pete.
>> 
>> 
>> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>> *From:* Michael Davidsaver <mdavidsaver at gmail.com>
>> *Sent:* Tuesday, February 2, 2021 12:13 PM
>> *To:* Siddons, David <siddons at bnl.gov>
>> *Cc:* EPICS Tech-Talk <tech-talk at aps.anl.gov>
>> *Subject:* Re: setcap and nosuid
>>  
>> On 2/2/21 8:57 AM, Siddons, David wrote:
>>> Hi David,
>>> Yes, I saw that. Changing it doesn't seem to help:
>>> 
>>> sudo chmod g+w /dev/mem                                                  
>>> ls -l /dev/mem                                                      
>>> crw-rw---- 1 root kmem 1, 1 Feb  1 21:05 /dev/mem
>>> 
>>> ./regrw R 1   ( a program which maps the FPGA registers to userspace)
>>> Reading Register 1                                                             
>>> Can't open /dev/mem
>> 
>> Have you tried chmod 0666 to make sure this is really a permission problem?
>> The "Can't open" could also print 'errno'.
>> 
>> Also, I feel obligated to repeat myself in recommending against using
>> /dev/mem in any kind of long term solution.  There are safer ways
>> to grant access to specific MMIO ranges.
>> 
>> https://epics.anl.gov/tech-talk/2020/msg02201.php <https://epics.anl.gov/tech-talk/2020/msg02201.php> <https://epics.anl.gov/tech-talk/2020/msg02201.php <https://epics.anl.gov/tech-talk/2020/msg02201.php>>
>