EPICS Re: Novice EPICS questions re yet another port

Experimental Physics and Industrial Control System

1994 1995 1996 1997 1998 1999 2000 2001 2002 <2003> 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 2022 2023 2024	Index	1994 1995 1996 1997 1998 1999 2000 2001 2002 <2003> 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 2022 2023 2024
<== Date ==>		<== Thread ==>

Subject:	Re: Novice EPICS questions re yet another port
From:	Eric Norum <[email protected]>
To:	David Kelly <[email protected]>
Cc:	[email protected]
Date:	Fri, 05 Dec 2003 10:48:18 -0600

David Kelly wrote:


d) Under RedHawk, if a process desires to run with a real-time priority
(i.e. use a real-time scheduling policy of SCHED_RR or SCHED_FIFO, where the
real-time priorities range from 99 down to 1 and are all therefore higher
than the standard Linux SCHED_OTHER timesharing priority of zero), then the
process must be owned by, or run in the context of, the root user. I could
do this by logging on as root and MAKEing the code as root. However, I
prefer to MAKE the project in the context of my normal user login, which
means that I then need to "chown root XXXX" and "chmod a+s XXXX" all the
created binary executables so that they run as the root user. I'd like to be
able to automate the "chown" and "chmod" as part of the build (MAKE)
process, but I haven't yet figured out how to modify the build environment
to do this. Can anyone suggest how to do this, or at least where I should be
looking ?

People are likely going to run afoul of their computer security folks if they say they want to run EPICS applications setuid-root. I'd like to propose an alternative method of providing the required privileges. Instead of running the entire application setuid-root, just provide a setuid-root wrapper which sets up the required modes, switches back to the original user, then execs the actual application.

For example, here's the wrapper I use to open a range of I/O ports so that an EPICS application can perform inb/outb instructions directly from user space. Your wrapper would just replace the ioperm call with a call to set the required scheduling permissions.

/*
* Open window to Prometheus I/O ports and run
* application as non-privileged user.
*
* Install this executable setuid-root.
*/

/*
* $Id: $
*/

#define PORTBASE    0x280
#define PORTCOUNT   16

#include <stdio.h>
#include <string.h>
#include <errno.h>
#include <unistd.h>
#include <sys/io.h>

int
main (int argc, char **argv)
{
   if (argc < 2) {
       fprintf(stderr, "Usage: %s executable [args ...]\n", argv[0]);
       return 1;
   }

   /*
    * Open the window
    */
   if (ioperm(PORTBASE, PORTCOUNT, 1) != 0) {
       fprintf(stderr, "Can't open access to Prometheus I/O ports: %s\n", strerror(errno));
       return 2;
   }

   /*
    * Relinquish super-user status
    */
   setuid(getuid());

   /*
    * Execute the application
    */
   argv++;
   execv(argv[0], argv);
   fprintf(stderr, "Can't execute %s: %s\n", argv[0], strerror(errno));
   return 3;
}

--
Eric Norum                                 [email protected]
Advanced Photon Source                     Phone: (630) 252-4793
Argonne National Laboratory

References:: Novice EPICS questions re yet another port David Kelly

Navigate by Date:: Prev: Re: process function of record waveform and CA (caput, caget) Ben-chin K. Cha; Next: scanRecord for 3.14 Marty Kraimer; Index: 1994 1995 1996 1997 1998 1999 2000 2001 2002 <2003> 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 2022 2023 2024
Navigate by Thread:: Prev: Novice EPICS questions re yet another port David Kelly; Next: Re: Novice EPICS questions re yet another port Marty Kraimer; Index: 1994 1995 1996 1997 1998 1999 2000 2001 2002 <2003> 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 2022 2023 2024