特定のボードを接続したときに表示されるデバイスファイルがあります/dev
。読み書きはうまくいきますが、デバイスファイルを開くにはroot権限でプログラムを実行する必要があります。ルート以外のすべてのユーザーがsudoを使用せずにこの特定のデバイスファイルを開くことを許可する方法はありますか?
答え1
はい、udevルールを作成できます。
/etc/udev/rules.d
ファイルを生成するとき30-mydevice.rules
(数字は0から99の間でなければならず、スクリプトが実行される順序のみを決定します。名前は重要ではなく、説明のみが必要ですが.rules
拡張子が必要です)
この例では、お使いのデバイスがUSBベースであり、対応するベンダーと製品ID(検査可能lsusb -v
)を知っており、mydevice
デバイスを使用するためにユーザーが属する必要があるグループを使用していると想定しています。この場合、ファイルの内容は次のようになります。
SUBSYSTEM=="usb", SYSFS{idVendor}=="0123", SYSFS{idProduct}=="4567", ACTION=="add", GROUP="mydevice", MODE="0664"
MODE
0664と同じ場合、所有者(rootable)と定義されたグループはデバイスに書き込むことができます。
答え2
1つの方法は、ユーザーを適切な「デバイスグループ」に追加することです。 Linuxには、さまざまなデバイス(ディスク、フロッピー、tty、ビデオ、CDROMなど)の一連のグループがあるため、ユーザーを追加できます/etc/group
。
別のアプローチは、「偽のユーザー」(例えば、ゲームユーザー)を作成することである。このユーザーをそのユーザーが保持する必要があるデバイスグループに追加します。最後に、特定のプログラム(画像をスキャンするプログラムなど)の所有者をそのユーザーに変更して設定すると、chmod u+s
プログラムは(実際のユーザーではなく)偽のユーザーとして実行され、デバイスへのアクセスが許可されます。プログラムグループを使用して、プログラムを実行できるユーザーを制限できます。
最後に、特定のデバイスが必要なプログラムグループをdevice-groupに設定して設定できますchmod g+s
。これにより、プログラムはグループの権限(そのプログラムを実行している一般ユーザーの権限に加えて)として実行され、デバイスへの拡張アクセスを許可します。
答え3
はい、可能です。しかし、まずrootアクセス権が必要です。 Linux 2.2以降、root権限を分割する機能があります。リストから次のものを使用できます。
setcap cap_net_raw,cap_net_admin=eip xxxx
xxxxは実行可能プログラムなので、libpcapを直接呼び出すことができます。
機能リスト次のリストは、Linuxで実装されている機能と、各機能が許可する操作または動作を示しています。
CAP_AUDIT_CONTROL (since Linux 2.6.11)
Enable and disable kernel auditing; change auditing filter
rules; retrieve auditing status and filtering rules.
CAP_AUDIT_READ (since Linux 3.16)
Allow reading the audit log via a multicast netlink socket.
CAP_AUDIT_WRITE (since Linux 2.6.11)
Write records to kernel auditing log.
CAP_BLOCK_SUSPEND (since Linux 3.5)
Employ features that can block system suspend (epoll(7)
EPOLLWAKEUP, /proc/sys/wake_lock).
CAP_CHOWN
Make arbitrary changes to file UIDs and GIDs (see chown(2)).
CAP_DAC_OVERRIDE
Bypass file read, write, and execute permission checks. (DAC
is an abbreviation of "discretionary access control".)
CAP_DAC_READ_SEARCH
* Bypass file read permission checks and directory read and
execute permission checks;
* invoke open_by_handle_at(2);
* use the linkat(2) AT_EMPTY_PATH flag to create a link to a
file referred to by a file descriptor.
CAP_FOWNER
* Bypass permission checks on operations that normally require
the filesystem UID of the process to match the UID of the
file (e.g., chmod(2), utime(2)), excluding those operations
covered by CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH;
* set inode flags (see ioctl_iflags(2)) on arbitrary files;
* set Access Control Lists (ACLs) on arbitrary files;
* ignore directory sticky bit on file deletion;
* specify O_NOATIME for arbitrary files in open(2) and
fcntl(2).
CAP_FSETID
* Don't clear set-user-ID and set-group-ID mode bits when a
file is modified;
* set the set-group-ID bit for a file whose GID does not match
the filesystem or any of the supplementary GIDs of the
calling process.
CAP_IPC_LOCK
Lock memory (mlock(2), mlockall(2), mmap(2), shmctl(2)).
CAP_IPC_OWNER
Bypass permission checks for operations on System V IPC
objects.
CAP_KILL
Bypass permission checks for sending signals (see kill(2)).
This includes use of the ioctl(2) KDSIGACCEPT operation.
CAP_LEASE (since Linux 2.4)
Establish leases on arbitrary files (see fcntl(2)).
CAP_LINUX_IMMUTABLE
Set the FS_APPEND_FL and FS_IMMUTABLE_FL inode flags (see
ioctl_iflags(2)).
CAP_MAC_ADMIN (since Linux 2.6.25)
Allow MAC configuration or state changes. Implemented for the
Smack Linux Security Module (LSM).
CAP_MAC_OVERRIDE (since Linux 2.6.25)
Override Mandatory Access Control (MAC). Implemented for the
Smack LSM.
CAP_MKNOD (since Linux 2.4)
Create special files using mknod(2).
CAP_NET_ADMIN
Perform various network-related operations:
* interface configuration;
* administration of IP firewall, masquerading, and accounting;
* modify routing tables;
* bind to any address for transparent proxying;
* set type-of-service (TOS)
* clear driver statistics;
* set promiscuous mode;
* enabling multicasting;
* use setsockopt(2) to set the following socket options:
SO_DEBUG, SO_MARK, SO_PRIORITY (for a priority outside the
range 0 to 6), SO_RCVBUFFORCE, and SO_SNDBUFFORCE.
CAP_NET_BIND_SERVICE
Bind a socket to Internet domain privileged ports (port
numbers less than 1024).
CAP_NET_BROADCAST
(Unused) Make socket broadcasts, and listen to multicasts.
CAP_NET_RAW
* Use RAW and PACKET sockets;
* bind to any address for transparent proxying.
CAP_SETGID
* Make arbitrary manipulations of process GIDs and
supplementary GID list;
* forge GID when passing socket credentials via UNIX domain
sockets;
* write a group ID mapping in a user namespace (see
user_namespaces(7)).
CAP_SETFCAP (since Linux 2.6.24)
Set file capabilities.
CAP_SETPCAP
If file capabilities are not supported: grant or remove any
capability in the caller's permitted capability set to or from
any other process. (This property of CAP_SETPCAP is not
available when the kernel is configured to support file
capabilities, since CAP_SETPCAP has entirely different
semantics for such kernels.)
If file capabilities are supported: add any capability from
the calling thread's bounding set to its inheritable set; drop
capabilities from the bounding set (via prctl(2)
PR_CAPBSET_DROP); make changes to the securebits flags.
CAP_SETUID
* Make arbitrary manipulations of process UIDs (setuid(2),
setreuid(2), setresuid(2), setfsuid(2));
* forge UID when passing socket credentials via UNIX domain
sockets;
* write a user ID mapping in a user namespace (see
user_namespaces(7)).
CAP_SYS_ADMIN
Note: this capability is overloaded; see Notes to kernel
developers, below.
* Perform a range of system administration operations
including: quotactl(2), mount(2), umount(2), swapon(2),
setdomainname(2);
* perform privileged syslog(2) operations (since Linux 2.6.37,
CAP_SYSLOG should be used to permit such operations);
* perform VM86_REQUEST_IRQ vm86(2) command;
* perform IPC_SET and IPC_RMID operations on arbitrary System
V IPC objects;
* override RLIMIT_NPROC resource limit;
* perform operations on trusted and security Extended
Attributes (see xattr(7));
* use lookup_dcookie(2);
* use ioprio_set(2) to assign IOPRIO_CLASS_RT and (before
Linux 2.6.25) IOPRIO_CLASS_IDLE I/O scheduling classes;
* forge PID when passing socket credentials via UNIX domain
sockets;
* exceed /proc/sys/fs/file-max, the system-wide limit on the
number of open files, in system calls that open files (e.g.,
accept(2), execve(2), open(2), pipe(2));
* employ CLONE_* flags that create new namespaces with
clone(2) and unshare(2) (but, since Linux 3.8, creating user
namespaces does not require any capability);
* call perf_event_open(2);
* access privileged perf event information;
* call setns(2) (requires CAP_SYS_ADMIN in the target
namespace);
* call fanotify_init(2);
* call bpf(2);
* perform privileged KEYCTL_CHOWN and KEYCTL_SETPERM keyctl(2)
operations;
* use ptrace(2) PTRACE_SECCOMP_GET_FILTER to dump a tracees
seccomp filters;
* perform madvise(2) MADV_HWPOISON operation;
* employ the TIOCSTI ioctl(2) to insert characters into the
input queue of a terminal other than the caller's
controlling terminal;
* employ the obsolete nfsservctl(2) system call;
* employ the obsolete bdflush(2) system call;
* perform various privileged block-device ioctl(2) operations;
* perform various privileged filesystem ioctl(2) operations;
* perform privileged ioctl(2) operations on the /dev/random
device (see random(4));
* install a seccomp(2) filter without first having to set the
no_new_privs thread attribute;
* modify allow/deny rules for device control groups;
* employ the ptrace(2) PTRACE_SECCOMP_GET_FILTER operation to
dump tracee's seccomp filters;
* employ the ptrace(2) PTRACE_SETOPTIONS operation to suspend
the tracee's seccomp protections (i.e., the
PTRACE_O_SUSPEND_SECCOMP flag).
* perform administrative operations on many device drivers.
CAP_SYS_BOOT
Use reboot(2) and kexec_load(2).
CAP_SYS_CHROOT
Use chroot(2).
CAP_SYS_MODULE
* Load and unload kernel modules (see init_module(2) and
delete_module(2));
* in kernels before 2.6.25: drop capabilities from the system-
wide capability bounding set.
CAP_SYS_NICE
* Raise process nice value (nice(2), setpriority(2)) and
change the nice value for arbitrary processes;
* set real-time scheduling policies for calling process, and
set scheduling policies and priorities for arbitrary
processes (sched_setscheduler(2), sched_setparam(2),
shed_setattr(2));
* set CPU affinity for arbitrary processes
(sched_setaffinity(2));
* set I/O scheduling class and priority for arbitrary
processes (ioprio_set(2));
* apply migrate_pages(2) to arbitrary processes and allow
processes to be migrated to arbitrary nodes;
* apply move_pages(2) to arbitrary processes;
* use the MPOL_MF_MOVE_ALL flag with mbind(2) and
move_pages(2).
CAP_SYS_PACCT
Use acct(2).
CAP_SYS_PTRACE
* Trace arbitrary processes using ptrace(2);
* apply get_robust_list(2) to arbitrary processes;
* transfer data to or from the memory of arbitrary processes
using process_vm_writev(2);
* inspect processes using kcmp(2).
CAP_SYS_RAWIO
* Perform I/O port operations (iopl(2) and ioperm(2));
* access /proc/kcore;
* employ the FIBMAP ioctl(2) operation;
* open devices for accessing x86 model-specific registers
(MSRs, see msr(4));
* update /proc/sys/vm/mmap_min_addr;
* create memory mappings at addresses below the value
specified by /proc/sys/vm/mmap_min_addr;
* map files in /proc/bus/pci;
* open /dev/mem and /dev/kmem;
* perform various SCSI device commands;
* perform certain operations on hpsa(4) and cciss(4) devices;
* perform a range of device-specific operations on other
devices.
CAP_SYS_RESOURCE
* Use reserved space on ext2 filesystems;
* make ioctl(2) calls controlling ext3 journaling;
* override disk quota limits;
* increase resource limits (see setrlimit(2));
* override RLIMIT_NPROC resource limit;
* override maximum number of consoles on console allocation;
* override maximum number of keymaps;
* allow more than 64hz interrupts from the real-time clock;
* raise msg_qbytes limit for a System V message queue above
the limit in /proc/sys/kernel/msgmnb (see msgop(2) and
msgctl(2));
* allow the RLIMIT_NOFILE resource limit on the number of "in-
flight" file descriptors to be bypassed when passing file
descriptors to another process via a UNIX domain socket (see
unix(7));
* override the /proc/sys/fs/pipe-size-max limit when setting
the capacity of a pipe using the F_SETPIPE_SZ fcntl(2)
command.
* use F_SETPIPE_SZ to increase the capacity of a pipe above
the limit specified by /proc/sys/fs/pipe-max-size;
* override /proc/sys/fs/mqueue/queues_max limit when creating
POSIX message queues (see mq_overview(7));
* employ the prctl(2) PR_SET_MM operation;
* set /proc/[pid]/oom_score_adj to a value lower than the
value last set by a process with CAP_SYS_RESOURCE.
CAP_SYS_TIME
Set system clock (settimeofday(2), stime(2), adjtimex(2)); set
real-time (hardware) clock.
CAP_SYS_TTY_CONFIG
Use vhangup(2); employ various privileged ioctl(2) operations
on virtual terminals.
CAP_SYSLOG (since Linux 2.6.37)
* Perform privileged syslog(2) operations. See syslog(2) for
information on which operations require privilege.
* View kernel addresses exposed via /proc and other interfaces
when /proc/sys/kernel/kptr_restrict has the value 1. (See
the discussion of the kptr_restrict in proc(5).)
CAP_WAKE_ALARM (since Linux 3.0)
Trigger something that will wake up the system (set
CLOCK_REALTIME_ALARM and CLOCK_BOOTTIME_ALARM timers).