[英]How to set CAP_SYS_NICE capability to a Linux user?
My program is using the Linux system call setpriority()
to change the priorities of the threads it creates. 我的程序使用Linux系统调用setpriority()
来更改它创建的线程的优先级。 It needs to set negative priorities (-10) but, as mentioned on the documentation, this fails when run as a normal user. 它需要设置负优先级(-10),但是,如文档中所述,当以普通用户身份运行时,这会失败。
The user needs the CAP_SYS_NICE
capability to be able to set the priorities as he wants, but I have no idea how to give such capability to the user. 用户需要CAP_SYS_NICE
功能才能根据需要设置优先级,但我不知道如何为用户提供此类功能。
So my question: how to set CAP_SYS_NICE
capability to a Linux user? 所以我的问题是:如何为Linux用户设置CAP_SYS_NICE
功能?
There is a nice handy utility for setting capabilities on a binary: setcap . 有一个非常方便的实用程序来设置二进制文件的功能: setcap 。 This needs to be run as root on your application binary, but once set, can be run as a normal user. 这需要在应用程序二进制文件上以root身份运行,但一旦设置,就可以作为普通用户运行。 Example: 例:
$ sudo setcap 'cap_sys_nice=eip' <application>
You can confirm what capabilities are on an application using getcap: 您可以使用getcap确认应用程序的功能:
$ getcap <application>
<application> = cap_sys_nice+eip
I'd suggest integrating the capabilities into your makefile in the install line, which is typically run as root anyhow. 我建议将这些功能集成到安装行中的makefile中,无论如何通常以root身份运行。 Note that capabilities cannot be stored in a TAR file or any derivative package formats. 请注意,功能无法存储在TAR文件或任何衍生包格式中。 If you do package your application later on, you will need a script (postinst for Debian packages) to apply the capability on deploy. 如果您稍后打包应用程序,则需要一个脚本(Debian软件包的postinst)来应用部署功能。
Jan Hudec is right that a process can't just give itself a capability, and a setuid wrapper is the obvious way get the capability. Jan Hudec是对的,一个进程不能只给自己一个功能,而setuid包装器是获得该功能的明显方式。 Also, keep in mind that you'll need to prctl(PR_SET_KEEPCAPS, ...)
when you drop root. 另外,请记住,当您删除root时,您需要prctl(PR_SET_KEEPCAPS, ...)
。 (See the prctl
man page for details.) Otherwise, you'll drop the capability when you transition to your non-root real user id. (有关详细信息,请参见prctl
手册页。)否则,当您转换到非root真实用户ID时,您将删除该功能。
If you really just want to launch user sessions with a different allowed nice level, you might see the pam_limits
and limits.conf
man pages, as the pam_limits
module allows you to change the hard nice limit. 如果您真的只想启动具有不同允许级别的用户会话,您可能会看到pam_limits
和limits.conf
手册页,因为pam_limits
模块允许您更改硬件限制。 It could be a line like: 它可能是一条线:
yourspecialusername hard nice -10
Regarding sudo, I added the user like this: 关于sudo,我添加了这样的用户:
niceuser ALL=NOPASSWD:/usr/bin/nice
And then it worked fine: 然后它工作正常:
niceuser@localhost $ nice
0
niceuser@localhost $ sudo nice -n -10 nice
-10
AFAIK It's not possible to get a capability. AFAIK无法获得能力。 Root processes have all capabilities and can give them up, but once given up, they can't be regained. 根进程具有所有功能并可以放弃,但一旦放弃,它们就无法恢复。 So you'll need a suid-root wrapper that will give up all other capabilities and run the process. 因此,您需要一个suid-root包装器,它将放弃所有其他功能并运行该过程。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.