stackoom
  简体   繁体   中英

Linux - What resources require raised privileges C/C++ programming?

 原文  2015-12-02 02:50:31       c++/ linux/ debian/ privileges/ setuid

Question

I am in the process of developing a daemon and user application which will talk to the daemon over a UNIX domain socket to send commands, get status information, etc. The user application will be run by non-root users with the setuid bit set so that it will have an effective uid of root, which will allow it to access resources requiring root privileges. Most files, sockets, devices (ttys, etc.) require root privileges to access them through the file, ioctl system calls. I do not want to run with raised privileges all the time during runtime since it is not secure and frowned upon.

My question, since I have not been able to find anything in books or on the Internet, is there a comprehensive list of system calls, resources that need root privileges to access? I know the resources I am using need raised privileges since I can verify that by debugging with/without the setuid bit set for a given executable, but I am just curious if there is a compiled list somewhere outlining when, when you do not need raised privileges to access resources?

1 answers

solution1
 2 ACCPTED  2015-12-02 08:26:10

An ioctl does not require raised privileges per se . A given device might be restricted to special priviliges, but that doesn't mean your program needs to be run as root :

On traditional linux system, privilege authorization is handled via file-permissions (mostly: group memberships ).

Consider accessing a webcam, which shows up as /dev/video3

$ ls -l /dev/video3 crw-rw----+ 1 root video 81, 0 Dec 2 09:21 /dev/video3

So this device can be read/write by root and any user belonging to the video group.

So it is enough if the user of a program that wants to control /dev/video3 is a member of the video group.

Note: "user" need not be a human user; it can also be a system user who's sole purpose is to run a given daemon.

If this is too coarse (eg you want to grant a given user access to /dev/video3 but not /dev/video0 ; but by default both are writeable by the video group), it is easy enough to setup udev rules that will grant more specific permissions for individual devices.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Programming resources for C++ in Linux c++ programming with linux C++ Game Programming Resources C++ Programming in Linux Platform Socket programming in Linux by C++ What alternatives have sockets programming tcp on c++ linux Basic linux C++ networking: connection refused, however no error raised UDP Socket programming in C++ in linux Where to store resources for C++ program on linux Resources for developing a C++ MySQL application for Linux
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM