Linux - 哪些资源需要提升权限的 C/C++ 编程?
[英]Linux - What resources require raised privileges C/C++ programming?
问题描述
I am in the process of developing a daemon and user application which will talk to the daemon over a UNIX domain socket to send commands, get status information, etc. The user application will be run by non-root users with the setuid bit set so that it will have an effective uid of root, which will allow it to access resources requiring root privileges.
我正在开发一个守护进程和用户应用程序,它将通过 UNIX 域套接字与守护进程通信以发送命令、获取状态信息等。用户应用程序将由非 root 用户运行,并设置了 setuid 位它将具有 root 的有效 uid,这将允许它访问需要 root 权限的资源。 Most files, sockets, devices (ttys, etc.) require root privileges to access them through the file, ioctl system calls.大多数文件、套接字、设备(ttys 等)需要 root 权限才能通过文件 ioctl 系统调用访问它们。 I do not want to run with raised privileges all the time during runtime since it is not secure and frowned upon.我不想在运行时一直以提升的权限运行,因为它不安全且不受欢迎。
My question, since I have not been able to find anything in books or on the Internet, is there a comprehensive list of system calls, resources that need root privileges to access?我的问题是,由于我在书籍或互联网上找不到任何内容,是否有完整的系统调用列表,需要 root 权限才能访问的资源? I know the resources I am using need raised privileges since I can verify that by debugging with/without the setuid bit set for a given executable, but I am just curious if there is a compiled list somewhere outlining when, when you do not need raised privileges to access resources?我知道我正在使用的资源需要提升权限,因为我可以通过为给定的可执行文件设置/不设置 setuid 位进行调试来验证这一点,但我只是好奇是否有编译列表概述了何时不需要提升访问资源的权限?
1 个解决方案
解决方案1
2 已采纳 2015-12-02 08:26:10
An ioctl does not require raised privileges per se .一个ioctl不需要提出本身的权限。 A given device might be restricted to special priviliges, but that doesn't mean your program needs to be run as root :给定的设备可能仅限于特殊权限,但这并不意味着您的程序需要以root身份运行:
On traditional linux system, privilege authorization is handled via file-permissions (mostly: group memberships ).在传统的 linux 系统上,权限授权是通过文件权限处理的(主要是:组成员资格)。
Consider accessing a webcam, which shows up as /dev/video3考虑访问显示为/dev/video3的网络摄像头
$ ls -l /dev/video3 crw-rw----+ 1 root video 81, 0 Dec 2 09:21 /dev/video3 $ ls -l /dev/video3 crw-rw----+ 1 根视频 81, 0 Dec 2 09:21 /dev/video3
So this device can be read/write by root and any user belonging to the video group.所以这个设备可以被root和属于video组的任何用户读/写。
So it is enough if the user of a program that wants to control /dev/video3 is a member of the video group.因此,如果想要控制/dev/video3的程序的用户是video组的成员就足够了。
Note: "user" need not be a human user;注意:“用户”不必是人类用户; it can also be a system user who's sole purpose is to run a given daemon.它也可以是唯一目的是运行给定守护程序的系统用户。
If this is too coarse (eg you want to grant a given user access to /dev/video3 but not /dev/video0 ; but by default both are writeable by the video group), it is easy enough to setup udev rules that will grant more specific permissions for individual devices.如果这太粗糙(例如,您想授予给定用户访问/dev/video3而不是/dev/video0 ;但默认情况下, video组都可以写入),很容易设置udev规则,将授予单个设备的更具体的权限。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.