[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: How can i call a function which is usually used by root?

From: "Serge E. Hallyn" <serue us ibm com>
To: wk <304702903 qq com>
Cc: fedora-selinux-list <fedora-selinux-list redhat com>
Subject: Re: How can i call a function which is usually used by root?
Date: Tue, 2 Dec 2008 09:31:54 -0600

Quoting wk (304702903 qq com):
> I want write a c program.And a common user(not in root group) will run this program.
>  In this program,I call fread(/dev/sdc...) and fwrite(/dev/sdc),but this call will return "permission no allow".If I use the root user,will be ok.
>  How to change to the authority to root's?
>  
>  I know the  root's password.

Offhand I suspect what you need is CAP_SYS_RAWIO (maybe CAP_SYS_ADMIN).
But I don't know how your program is designed so am not sure how to
best give your program that privilege:

	1. Make program setuid root, have it immediately switch
	   to nonroot and keep root in your saved uid so you can move it
	   back to euid when you need to write /dev/sdc.
	   (man setresuid)
	2. Put CAP_SYS_RAWIO in fP (or fI if you can put it in
	   the calling user's pI), then have your program
	   put the capability into pE just when it needs to
	   write to /dev/sdc.
	   (man 7 capabilities)
	3. Write a separate minimal partially privileged helper
	   program which answers requests by your main program.
	   Then you could use selinux to enforce an assured
	   pipeline to prevent anyone else using the helper.
	   (google privilege separation)

-serge

References:
- How can i call a function which is usually used by root?
  - From: wk

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]