Argonne National Laboratory

Experimental Physics and
Industrial Control System

1994  1995  1996  1997  1998  1999  2000  2001  2002  <20032004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  2018  2019  Index 1994  1995  1996  1997  1998  1999  2000  2001  2002  <20032004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  2018  2019 
<== Date ==> <== Thread ==>

Subject: Re: Novice EPICS questions re yet another port
From: Eric Norum <norume@aps.anl.gov>
To: David Kelly <Kelly@CCUR.COM.AU>
Cc: tech-talk@aps.anl.gov
Date: Fri, 05 Dec 2003 10:48:18 -0600
David Kelly wrote:


d) Under RedHawk, if a process desires to run with a real-time priority (i.e. use a real-time scheduling policy of SCHED_RR or SCHED_FIFO, where the real-time priorities range from 99 down to 1 and are all therefore higher than the standard Linux SCHED_OTHER timesharing priority of zero), then the process must be owned by, or run in the context of, the root user. I could do this by logging on as root and MAKEing the code as root. However, I prefer to MAKE the project in the context of my normal user login, which means that I then need to "chown root XXXX" and "chmod a+s XXXX" all the created binary executables so that they run as the root user. I'd like to be able to automate the "chown" and "chmod" as part of the build (MAKE) process, but I haven't yet figured out how to modify the build environment to do this. Can anyone suggest how to do this, or at least where I should be looking ?


People are likely going to run afoul of their computer security folks if they say they want to run EPICS applications setuid-root. I'd like to propose an alternative method of providing the required privileges. Instead of running the entire application setuid-root, just provide a setuid-root wrapper which sets up the required modes, switches back to the original user, then execs the actual application.


For example, here's the wrapper I use to open a range of I/O ports so that an EPICS application can perform inb/outb instructions directly from user space. Your wrapper would just replace the ioperm call with a call to set the required scheduling permissions.

/*
* Open window to Prometheus I/O ports and run
* application as non-privileged user.
*
* Install this executable setuid-root.
*/

/*
* $Id: $
*/

#define PORTBASE    0x280
#define PORTCOUNT   16

#include <stdio.h>
#include <string.h>
#include <errno.h>
#include <unistd.h>
#include <sys/io.h>

int
main (int argc, char **argv)
{
   if (argc < 2) {
       fprintf(stderr, "Usage: %s executable [args ...]\n", argv[0]);
       return 1;
   }

   /*
    * Open the window
    */
   if (ioperm(PORTBASE, PORTCOUNT, 1) != 0) {
       fprintf(stderr, "Can't open access to Prometheus I/O ports: %s\n", strerror(errno));
       return 2;
   }

   /*
    * Relinquish super-user status
    */
   setuid(getuid());

   /*
    * Execute the application
    */
   argv++;
   execv(argv[0], argv);
   fprintf(stderr, "Can't execute %s: %s\n", argv[0], strerror(errno));
   return 3;
}



--
Eric Norum                                 norume@aps.anl.gov
Advanced Photon Source                     Phone: (630) 252-4793
Argonne National Laboratory


References:
Novice EPICS questions re yet another port David Kelly

Navigate by Date:
Prev: Re: process function of record waveform and CA (caput, caget) Ben-chin K. Cha
Next: scanRecord for 3.14 Marty Kraimer
Index: 1994  1995  1996  1997  1998  1999  2000  2001  2002  <20032004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  2018  2019 
Navigate by Thread:
Prev: Novice EPICS questions re yet another port David Kelly
Next: Re: Novice EPICS questions re yet another port Marty Kraimer
Index: 1994  1995  1996  1997  1998  1999  2000  2001  2002  <20032004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  2018  2019 
ANJ, 10 Aug 2010 Valid HTML 4.01! · Home · News · About · Base · Modules · Extensions · Distributions · Download ·
· Search · EPICS V4 · IRMIS · Talk · Bugs · Documents · Links · Licensing ·