如何为Linux用户设置CAP_SYS_NICE功能?
[英]How to set CAP_SYS_NICE capability to a Linux user?
问题描述
My program is using the Linux system call setpriority() to change the priorities of the threads it creates. 
我的程序使用Linux系统调用setpriority()来更改它创建的线程的优先级。 It needs to set negative priorities (-10) but, as mentioned on the documentation, this fails when run as a normal user. 它需要设置负优先级(-10),但是,如文档中所述,当以普通用户身份运行时,这会失败。
The user needs the CAP_SYS_NICE capability to be able to set the priorities as he wants, but I have no idea how to give such capability to the user. 用户需要CAP_SYS_NICE功能才能根据需要设置优先级,但我不知道如何为用户提供此类功能。
So my question: how to set CAP_SYS_NICE capability to a Linux user? 所以我的问题是:如何为Linux用户设置CAP_SYS_NICE功能?
4 个解决方案
解决方案1
10 2016-05-30 15:02:57
There is a nice handy utility for setting capabilities on a binary: setcap . 有一个非常方便的实用程序来设置二进制文件的功能: setcap 。 This needs to be run as root on your application binary, but once set, can be run as a normal user. 这需要在应用程序二进制文件上以root身份运行,但一旦设置,就可以作为普通用户运行。 Example: 例:
$ sudo setcap 'cap_sys_nice=eip' <application>
You can confirm what capabilities are on an application using getcap: 您可以使用getcap确认应用程序的功能:
$ getcap <application>
<application> = cap_sys_nice+eip
I'd suggest integrating the capabilities into your makefile in the install line, which is typically run as root anyhow. 我建议将这些功能集成到安装行中的makefile中,无论如何通常以root身份运行。 Note that capabilities cannot be stored in a TAR file or any derivative package formats. 请注意,功能无法存储在TAR文件或任何衍生包格式中。 If you do package your application later on, you will need a script (postinst for Debian packages) to apply the capability on deploy. 如果您稍后打包应用程序,则需要一个脚本(Debian软件包的postinst)来应用部署功能。
解决方案2
2 已采纳 2011-10-03 15:11:33
Jan Hudec is right that a process can't just give itself a capability, and a setuid wrapper is the obvious way get the capability. Jan Hudec是对的,一个进程不能只给自己一个功能,而setuid包装器是获得该功能的明显方式。 Also, keep in mind that you'll need to prctl(PR_SET_KEEPCAPS, ...) when you drop root. 另外,请记住,当您删除root时,您需要prctl(PR_SET_KEEPCAPS, ...) 。 (See the prctl man page for details.) Otherwise, you'll drop the capability when you transition to your non-root real user id. (有关详细信息,请参见prctl手册页。)否则,当您转换到非root真实用户ID时,您将删除该功能。
If you really just want to launch user sessions with a different allowed nice level, you might see the pam_limits and limits.conf man pages, as the pam_limits module allows you to change the hard nice limit. 如果您真的只想启动具有不同允许级别的用户会话,您可能会看到pam_limits和limits.conf手册页,因为pam_limits模块允许您更改硬件限制。 It could be a line like: 它可能是一条线:
yourspecialusername hard nice -10
解决方案3
1 2015-09-24 09:50:05
Regarding sudo, I added the user like this: 关于sudo,我添加了这样的用户:
niceuser ALL=NOPASSWD:/usr/bin/nice
And then it worked fine: 然后它工作正常:
niceuser@localhost $ nice
0
niceuser@localhost $ sudo nice -n -10 nice
-10
解决方案4
0 2011-10-03 14:11:18
AFAIK It's not possible to get a capability. AFAIK无法获得能力。 Root processes have all capabilities and can give them up, but once given up, they can't be regained. 根进程具有所有功能并可以放弃,但一旦放弃,它们就无法恢复。 So you'll need a suid-root wrapper that will give up all other capabilities and run the process. 因此,您需要一个suid-root包装器,它将放弃所有其他功能并运行该过程。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.