Subject: Re: [linux-audio-dev] Root powers (was: Lowish-latency test results with kernel 2.4.0-test4)
From: Tommi Ilmonen (tilmonen_AT_cc.hut.fi)
Date: Thu Aug 10 2000 - 16:35:12 EEST
On Wed, 9 Aug 2000, David Olofson wrote:
> On Fri, 04 Aug 2000, Tommi Ilmonen wrote:
> [...]
> > What I'd like to do (=what I am prepared to do at some stage):
> >
> > 0.1) Start the app with root privileges (either with suid or sudo)
> > 0.2) Lock memory
> > 0.3) Get the necessary capibilities to get RT-priority and high
> > RTC-frequencies later on.
> > 0.4) Drop super user priotities
>
> This is pretty much how svgalib works. (One of the init calls drops
> root privileges after the VGA port and memory access stuff has been
> set up.) Don't know much about the implementation details, though.
>
> > This would be simplified if I could simply attach the necessary
> > capabilities to the binary.
> >
> > After this the user can still do great damage to the system, but at least
> > some of root's powers are gone (total access to arbitrary files etc).
>
> Actually, the user can't do anything worse with SCHED_FIFO than
> freezing user space - which can be prevented by a watchdog thread.
> (Of course, you have to make sure that no application can get higher
> prio than the watchdog!)
Watchdog is a good way to start (I already use such). A maliscious
application/plugin can kill the watchdog thread, but this really requires
intentionally harmful code. We don't run such (except by accident...).
> > PS: I tought I could use external mini-apps to grant certain privileges as
> > needed, but this is not really a viable approach with Linux.
>
> Well, it would work, but it would require some sort of standard API
> to be useful. I'd propose the use of a normal library that does one
> of the following, depending on the current environment;
>
> 1) Use some new, nicer way of getting RT prio without root privileges.
>
> 2) Ask the "RT prio provider" daemon to change your thread's prio for
> you. (Of course, that daemon also has a watchdog thread, and makes
> sure that you can't set the prio for your threads higher than
> that of the watchdog.)
This is have. A small application (usage guarded with sudo) grants
RT-priority to applications that need it (and are allowed to get the
priority). This is fine if you only need to set the priority every
sometimes. If you do aggressive rescheduling this method fails. Good thing
is that even rather paranoid admins can accept such small guarded
applications (small enough that they read thru the source in three
minutes).
Tommi.
This archive was generated by hypermail 2b28 : Thu Aug 10 2000 - 17:19:14 EEST