[英]How do I grant root access to a user application?
I have a user-level C++ test application running on a linux mobile device. 我有一个在Linux移动设备上运行的用户级C ++测试应用程序。 One of the test involves enabling/disabling printer paper sensor which requires root privileges writing on a device file. 其中一项测试涉及启用/禁用打印机纸张传感器,这需要在设备文件上写入具有root权限。 Is there a way to grant my application that kind of privilege? 有没有办法向我的应用程序授予这种特权? If none, is there a workaround for that? 如果没有,是否有解决方法?
This will do, 这样就可以了
as root
execute: 以root
身份执行:
chown -v root:root /path/to/yourapp
chmod -v 4755 /path/to/yourapp
or alternatively 或者
chmod -v u+s /path/to/yourapp
or alternatively 或者
man chmod
This will not work with scripts . 这不适用于脚本 。 And yes, you should take seriously what jdizzle said about dropping unnecessary privileges. 是的,您应该认真对待jdizzle所说的删除不必要的特权。
Another way to solve this is to make the user who runs the application a member of the group that owns the device file. 解决此问题的另一种方法是使运行应用程序的用户成为拥有设备文件的组的成员。 For example, 例如,
ls -la /dev/devicefile
crw-rw---- 1 root printer 4, 0 may 6 10:56 /dev/devicefile
members of the printer
group can read and write to the device, so you just need to add joe
to the printer
group (and restart the session). printer
组的成员可以读写设备,因此您只需将joe
添加到printer
组(并重新启动会话)。
gpasswd -a joe printer
If you need to adjust the devicefile permissions, you probably will need to edit udev rules to make it permanent. 如果需要调整devicefile权限,则可能需要编辑udev规则以使其永久化。 But chmod
should work too. 但是chmod
应该工作。
Other options worth investigating: setcap(8)
(nice guide here ) and sudo(8)
. 其他值得研究的选项: setcap(8)
( 此处有个不错的指南)和sudo(8)
。
You can set the program setuid root, which means it will always run as root even when run by a user. 您可以将程序setuid设置为root,这意味着即使由用户运行,它也将始终以root身份运行。 This typically requires special care to drop privileges inside the program once the necessary actions requiring root access are completed. 一旦完成需要根访问权限的必要操作,通常需要特别注意在程序内部放弃特权。
You could also have a helper program, itself setuid root -or with appropriate capabilities, or started thru sudo
- which communicate with the printer. 您也可以有一个帮助程序,它本身是setuid根-或具有适当的功能,或通过sudo
启动-与打印机通信。 Your main application would fork & exec that program and communicate with it thru pipes, so it should not be itself running as root. 您的主应用程序将分叉并执行该程序,并通过管道与之通信,因此它本身不应以root身份运行。
The helper program would be a simple executable (with appropriate capabilities) which would only be started by your main application (not directly by the user) and communicate with it thru pipes or program arguments, etc. 帮助程序是一个简单的可执行文件(具有适当的功能),只能由您的主应用程序启动(而不能由用户直接启动),并通过管道或程序参数等与之通信。
A lot of graphical administrative programs are done likewise: the graphical part is a program separated from the administrative part, and they communicate appropriately. 许多图形管理程序也是这样完成的:图形部分是与管理部分分离的程序,它们可以适当地通信。 Only the administrative program (usually existing command line programs like adduser
) need special privilege. 仅管理程序(通常是现有的命令行程序,如adduser
)需要特殊特权。
you should definitey try to avoid running your program as "root", as this would not only allow your program to read/write /dev/sensordevice but it would grant access to virtually everything on your system (including the ability to completely brick it) 您应该绝对避免以“ root”身份运行程序,因为这不仅将允许您的程序读取/写入/ dev / sensordevice,而且还将授予对系统上几乎所有内容的访问权限(包括完全将其砖化的能力)
you should therefore try to add fine-grained access to just the ressource you need, using proper groups and making sure that your device-file grants your group write access. 因此,您应该尝试使用适当的组并仅对设备文件授予组的写访问权限,以仅对所需的资源添加细粒度的访问。 see (eg) udev on how to write a proper udev rule, that grants write access for a certain device to a given group. 有关如何编写适当的udev规则的信息,请参见(例如) udev ,该规则将特定设备的写访问权限授予给定组。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.