Experimental Physics and
| |||||||||||||||||
|
People are likely going to run afoul of their computer security folks if they say they want to run EPICS applications setuid-root. I'd like to propose an alternative method of providing the required privileges. Instead of running the entire application setuid-root, just provide a setuid-root wrapper which sets up the required modes, switches back to the original user, then execs the actual application. For example, here's the wrapper I use to open a range of I/O ports so that an EPICS application can perform inb/outb instructions directly from user space. Your wrapper would just replace the ioperm call with a call to set the required scheduling permissions. /* * Open window to Prometheus I/O ports and run * application as non-privileged user. * * Install this executable setuid-root. */ /* * $Id: $ */ #define PORTBASE 0x280 #define PORTCOUNT 16 #include <stdio.h> #include <string.h> #include <errno.h> #include <unistd.h> #include <sys/io.h> int main (int argc, char **argv) { if (argc < 2) { fprintf(stderr, "Usage: %s executable [args ...]\n", argv[0]); return 1; } /* * Open the window */ if (ioperm(PORTBASE, PORTCOUNT, 1) != 0) { fprintf(stderr, "Can't open access to Prometheus I/O ports: %s\n", strerror(errno)); return 2; } /* * Relinquish super-user status */ setuid(getuid()); /* * Execute the application */ argv++; execv(argv[0], argv); fprintf(stderr, "Can't execute %s: %s\n", argv[0], strerror(errno)); return 3; } -- Eric Norum [email protected] Advanced Photon Source Phone: (630) 252-4793 Argonne National Laboratory
| ||||||||||||||||
ANJ, 10 Aug 2010 |
·
Home
·
News
·
About
·
Base
·
Modules
·
Extensions
·
Distributions
·
Download
·
· Search · EPICS V4 · IRMIS · Talk · Bugs · Documents · Links · Licensing · |