Date: Wed, 11 Jun 1997 15:52:35 +0200 (MET DST) From: Luigi Rizzo <luigi@labinfo.iet.unipi.it> To: dufault@hda.com (Peter Dufault) Cc: luigi@iet.unipi.it, hackers@FreeBSD.ORG Subject: Re: rtprio from non-root users ? Message-ID: <199706111352.PAA09210@labinfo.iet.unipi.it> In-Reply-To: <199706111219.IAA02802@hda.hda.com> from "Peter Dufault" at Jun 11, 97 08:19:31 am
next in thread | previous in thread | raw e-mail | index | archive | help
> > I am trying to allow non-root accounts to use CD-R devices. Although ... > > Of the following two fixes: > > > > a) modify the rtprio syscall so that it can set realtime priority > > for a restricted set of users (but then, how to configure this > > set ?); > > > > b) modify the rtprio(1) command so that it can run suid-root, by > > allowing RTP_SET for a configurable class of users (e.g. > > /etc/rtprio.users) and calling setuid to restore the real uid > > before calling execvp > > I have some of this now - can you wait a bit longer so we don't > collide? The problem with the current patches is they use ioctls > against a device and I have to change them to system calls. I have (yesterday night) implemented a small change to rtprio (check PRs in the last 24 hours, I don't remember the number) which reads allowed users from /etc/rtprio.conf . Jordan suggests to use the login.class database to add a rtprio capability, which seems a much better approach. I am not very much in favour of modifying the kernel if the desired functionality can be achieved in userspace. > I'm using a pseudo device that requires that you either be root or > have the device opened, then I use group protection on the device. ... > I've been thinking of changing this to an inherited per process > bit mask you set by opening a pseudo device. Then you get the > privileges by "cp /dev/null /dev/rtperms" and they stay for all > descendant processes until you give it up or have it revoked. > > Comments? frankly, the use of a capability file seems the simplest solution since permission are checked very rarely. Cheers Luigi -----------------------------+-------------------------------------- Luigi Rizzo | Dip. di Ingegneria dell'Informazione email: luigi@iet.unipi.it | Universita' di Pisa tel: +39-50-568533 | via Diotisalvi 2, 56126 PISA (Italy) fax: +39-50-568522 | http://www.iet.unipi.it/~luigi/ _____________________________|______________________________________
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199706111352.PAA09210>