Ich habe eine Gerätedatei, die angezeigt wird, /devwenn eine bestimmte Karte eingesteckt ist. Die Lese- und Schreibvorgänge funktionieren einwandfrei, aber um die Gerätedatei zu öffnen, muss das Programm mit Root-Berechtigungen ausgeführt werden. Gibt es eine Möglichkeit für alle Benutzer ohne Rootberechtigung, diese eine bestimmte Gerätedatei zu öffnen, ohne sudo verwenden zu müssen?
Antworten:
Ja, Sie können eine udev-Regel schreiben.
In /etc/udev/rules.dmake a file 30-mydevice.rules(Nummer muss zwischen 0 und 99 liegen und entscheidet nur über die Ausführungsreihenfolge des Skripts; Name spielt keine Rolle, muss nur beschreibend sein; .rulesErweiterung ist jedoch erforderlich)
In diesem Beispiel gehe ich davon aus, dass Ihr Gerät USB-basiert ist und Sie wissen, dass es sich um einen Anbieter und eine Produkt-ID handelt (die mit überprüft werden kann lsusb -v), und dass Sie eine mydeviceGruppe verwenden, in der sich Ihr Benutzer befinden muss, um das Gerät zu verwenden. Dies sollte in diesem Fall der Inhalt der Datei sein:
SUBSYSTEM=="usb", SYSFS{idVendor}=="0123", SYSFS{idProduct}=="4567", ACTION=="add", GROUP="mydevice", MODE="0664"
MODE gleich 0664 erlaubt es dem Gerät, von seinem Besitzer (wahrscheinlich root) und der definierten Gruppe beschrieben zu werden.
Eine Möglichkeit besteht darin, den Benutzer der entsprechenden "Devivce-Gruppe" hinzuzufügen. Unter Linux gibt es eine ganze Reihe von Gruppen für verschiedene Arten von Geräten (Diskette, Diskette, Tty, Video, CD-ROM, ...), sodass Sie den Benutzer der entsprechenden Gruppe in / etc / group hinzufügen können.
Ein anderer Weg ist, einen "Pseudo-Benutzer" (zB den Spielbenutzer) zu machen. Sie fügen diesen Benutzer zu den Gerätegruppen hinzu, die er haben soll. Schließlich ändern Sie den Eigentümer bestimmter Programme (z. B. eines Programms zum Scannen von Bildern) in diesen Benutzer und legen "chmod u + s" fest. Dies führt dazu, dass das Programm als Pseudo-Benutzer ausgeführt wird - nicht als echter Benutzer und somit Zugriff auf die Geräte hat. Sie können die Gruppe der Programme verwenden, um zu begrenzen, welcher Benutzer das Programm ausführen darf.
Schließlich können Sie die Gruppe von Programmen, die ein bestimmtes Gerät benötigen, auf die Gerätegruppe einstellen und "chmod g + s" einstellen. Dadurch wird das Programm mit den Rechten der Gruppe ausgeführt (zusätzlich zu dem Recht des normalen Benutzers, der es ausführt), wodurch ein erweiterter Zugriff auf das Gerät ermöglicht wird.
Ja, Sie können, aber Sie benötigen zunächst die Root-Berechtigung. Seit Linux 2.2 verfügt es über Funktionen. Verwenden Sie geteilte Root-Berechtigungen. Mit unter der Liste können Sie Folgendes verwenden:
setcap cap_net_raw,cap_net_admin=eip xxxx
xxxx ist jedes ausführbare Programm, Sie können libpcap mit sich selbst aufrufen.
Liste der Funktionen In der folgenden Liste werden die unter Linux implementierten Funktionen sowie die von jeder Funktion zugelassenen Vorgänge oder Verhaltensweisen aufgeführt:
CAP_AUDIT_CONTROL (since Linux 2.6.11)
Enable and disable kernel auditing; change auditing filter
rules; retrieve auditing status and filtering rules.
CAP_AUDIT_READ (since Linux 3.16)
Allow reading the audit log via a multicast netlink socket.
CAP_AUDIT_WRITE (since Linux 2.6.11)
Write records to kernel auditing log.
CAP_BLOCK_SUSPEND (since Linux 3.5)
Employ features that can block system suspend (epoll(7)
EPOLLWAKEUP, /proc/sys/wake_lock).
CAP_CHOWN
Make arbitrary changes to file UIDs and GIDs (see chown(2)).
CAP_DAC_OVERRIDE
Bypass file read, write, and execute permission checks. (DAC
is an abbreviation of "discretionary access control".)
CAP_DAC_READ_SEARCH
* Bypass file read permission checks and directory read and
execute permission checks;
* invoke open_by_handle_at(2);
* use the linkat(2) AT_EMPTY_PATH flag to create a link to a
file referred to by a file descriptor.
CAP_FOWNER
* Bypass permission checks on operations that normally require
the filesystem UID of the process to match the UID of the
file (e.g., chmod(2), utime(2)), excluding those operations
covered by CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH;
* set inode flags (see ioctl_iflags(2)) on arbitrary files;
* set Access Control Lists (ACLs) on arbitrary files;
* ignore directory sticky bit on file deletion;
* specify O_NOATIME for arbitrary files in open(2) and
fcntl(2).
CAP_FSETID
* Don't clear set-user-ID and set-group-ID mode bits when a
file is modified;
* set the set-group-ID bit for a file whose GID does not match
the filesystem or any of the supplementary GIDs of the
calling process.
CAP_IPC_LOCK
Lock memory (mlock(2), mlockall(2), mmap(2), shmctl(2)).
CAP_IPC_OWNER
Bypass permission checks for operations on System V IPC
objects.
CAP_KILL
Bypass permission checks for sending signals (see kill(2)).
This includes use of the ioctl(2) KDSIGACCEPT operation.
CAP_LEASE (since Linux 2.4)
Establish leases on arbitrary files (see fcntl(2)).
CAP_LINUX_IMMUTABLE
Set the FS_APPEND_FL and FS_IMMUTABLE_FL inode flags (see
ioctl_iflags(2)).
CAP_MAC_ADMIN (since Linux 2.6.25)
Allow MAC configuration or state changes. Implemented for the
Smack Linux Security Module (LSM).
CAP_MAC_OVERRIDE (since Linux 2.6.25)
Override Mandatory Access Control (MAC). Implemented for the
Smack LSM.
CAP_MKNOD (since Linux 2.4)
Create special files using mknod(2).
CAP_NET_ADMIN
Perform various network-related operations:
* interface configuration;
* administration of IP firewall, masquerading, and accounting;
* modify routing tables;
* bind to any address for transparent proxying;
* set type-of-service (TOS)
* clear driver statistics;
* set promiscuous mode;
* enabling multicasting;
* use setsockopt(2) to set the following socket options:
SO_DEBUG, SO_MARK, SO_PRIORITY (for a priority outside the
range 0 to 6), SO_RCVBUFFORCE, and SO_SNDBUFFORCE.
CAP_NET_BIND_SERVICE
Bind a socket to Internet domain privileged ports (port
numbers less than 1024).
CAP_NET_BROADCAST
(Unused) Make socket broadcasts, and listen to multicasts.
CAP_NET_RAW
* Use RAW and PACKET sockets;
* bind to any address for transparent proxying.
CAP_SETGID
* Make arbitrary manipulations of process GIDs and
supplementary GID list;
* forge GID when passing socket credentials via UNIX domain
sockets;
* write a group ID mapping in a user namespace (see
user_namespaces(7)).
CAP_SETFCAP (since Linux 2.6.24)
Set file capabilities.
CAP_SETPCAP
If file capabilities are not supported: grant or remove any
capability in the caller's permitted capability set to or from
any other process. (This property of CAP_SETPCAP is not
available when the kernel is configured to support file
capabilities, since CAP_SETPCAP has entirely different
semantics for such kernels.)
If file capabilities are supported: add any capability from
the calling thread's bounding set to its inheritable set; drop
capabilities from the bounding set (via prctl(2)
PR_CAPBSET_DROP); make changes to the securebits flags.
CAP_SETUID
* Make arbitrary manipulations of process UIDs (setuid(2),
setreuid(2), setresuid(2), setfsuid(2));
* forge UID when passing socket credentials via UNIX domain
sockets;
* write a user ID mapping in a user namespace (see
user_namespaces(7)).
CAP_SYS_ADMIN
Note: this capability is overloaded; see Notes to kernel
developers, below.
* Perform a range of system administration operations
including: quotactl(2), mount(2), umount(2), swapon(2),
setdomainname(2);
* perform privileged syslog(2) operations (since Linux 2.6.37,
CAP_SYSLOG should be used to permit such operations);
* perform VM86_REQUEST_IRQ vm86(2) command;
* perform IPC_SET and IPC_RMID operations on arbitrary System
V IPC objects;
* override RLIMIT_NPROC resource limit;
* perform operations on trusted and security Extended
Attributes (see xattr(7));
* use lookup_dcookie(2);
* use ioprio_set(2) to assign IOPRIO_CLASS_RT and (before
Linux 2.6.25) IOPRIO_CLASS_IDLE I/O scheduling classes;
* forge PID when passing socket credentials via UNIX domain
sockets;
* exceed /proc/sys/fs/file-max, the system-wide limit on the
number of open files, in system calls that open files (e.g.,
accept(2), execve(2), open(2), pipe(2));
* employ CLONE_* flags that create new namespaces with
clone(2) and unshare(2) (but, since Linux 3.8, creating user
namespaces does not require any capability);
* call perf_event_open(2);
* access privileged perf event information;
* call setns(2) (requires CAP_SYS_ADMIN in the target
namespace);
* call fanotify_init(2);
* call bpf(2);
* perform privileged KEYCTL_CHOWN and KEYCTL_SETPERM keyctl(2)
operations;
* use ptrace(2) PTRACE_SECCOMP_GET_FILTER to dump a tracees
seccomp filters;
* perform madvise(2) MADV_HWPOISON operation;
* employ the TIOCSTI ioctl(2) to insert characters into the
input queue of a terminal other than the caller's
controlling terminal;
* employ the obsolete nfsservctl(2) system call;
* employ the obsolete bdflush(2) system call;
* perform various privileged block-device ioctl(2) operations;
* perform various privileged filesystem ioctl(2) operations;
* perform privileged ioctl(2) operations on the /dev/random
device (see random(4));
* install a seccomp(2) filter without first having to set the
no_new_privs thread attribute;
* modify allow/deny rules for device control groups;
* employ the ptrace(2) PTRACE_SECCOMP_GET_FILTER operation to
dump tracee's seccomp filters;
* employ the ptrace(2) PTRACE_SETOPTIONS operation to suspend
the tracee's seccomp protections (i.e., the
PTRACE_O_SUSPEND_SECCOMP flag).
* perform administrative operations on many device drivers.
CAP_SYS_BOOT
Use reboot(2) and kexec_load(2).
CAP_SYS_CHROOT
Use chroot(2).
CAP_SYS_MODULE
* Load and unload kernel modules (see init_module(2) and
delete_module(2));
* in kernels before 2.6.25: drop capabilities from the system-
wide capability bounding set.
CAP_SYS_NICE
* Raise process nice value (nice(2), setpriority(2)) and
change the nice value for arbitrary processes;
* set real-time scheduling policies for calling process, and
set scheduling policies and priorities for arbitrary
processes (sched_setscheduler(2), sched_setparam(2),
shed_setattr(2));
* set CPU affinity for arbitrary processes
(sched_setaffinity(2));
* set I/O scheduling class and priority for arbitrary
processes (ioprio_set(2));
* apply migrate_pages(2) to arbitrary processes and allow
processes to be migrated to arbitrary nodes;
* apply move_pages(2) to arbitrary processes;
* use the MPOL_MF_MOVE_ALL flag with mbind(2) and
move_pages(2).
CAP_SYS_PACCT
Use acct(2).
CAP_SYS_PTRACE
* Trace arbitrary processes using ptrace(2);
* apply get_robust_list(2) to arbitrary processes;
* transfer data to or from the memory of arbitrary processes
using process_vm_writev(2);
* inspect processes using kcmp(2).
CAP_SYS_RAWIO
* Perform I/O port operations (iopl(2) and ioperm(2));
* access /proc/kcore;
* employ the FIBMAP ioctl(2) operation;
* open devices for accessing x86 model-specific registers
(MSRs, see msr(4));
* update /proc/sys/vm/mmap_min_addr;
* create memory mappings at addresses below the value
specified by /proc/sys/vm/mmap_min_addr;
* map files in /proc/bus/pci;
* open /dev/mem and /dev/kmem;
* perform various SCSI device commands;
* perform certain operations on hpsa(4) and cciss(4) devices;
* perform a range of device-specific operations on other
devices.
CAP_SYS_RESOURCE
* Use reserved space on ext2 filesystems;
* make ioctl(2) calls controlling ext3 journaling;
* override disk quota limits;
* increase resource limits (see setrlimit(2));
* override RLIMIT_NPROC resource limit;
* override maximum number of consoles on console allocation;
* override maximum number of keymaps;
* allow more than 64hz interrupts from the real-time clock;
* raise msg_qbytes limit for a System V message queue above
the limit in /proc/sys/kernel/msgmnb (see msgop(2) and
msgctl(2));
* allow the RLIMIT_NOFILE resource limit on the number of "in-
flight" file descriptors to be bypassed when passing file
descriptors to another process via a UNIX domain socket (see
unix(7));
* override the /proc/sys/fs/pipe-size-max limit when setting
the capacity of a pipe using the F_SETPIPE_SZ fcntl(2)
command.
* use F_SETPIPE_SZ to increase the capacity of a pipe above
the limit specified by /proc/sys/fs/pipe-max-size;
* override /proc/sys/fs/mqueue/queues_max limit when creating
POSIX message queues (see mq_overview(7));
* employ the prctl(2) PR_SET_MM operation;
* set /proc/[pid]/oom_score_adj to a value lower than the
value last set by a process with CAP_SYS_RESOURCE.
CAP_SYS_TIME
Set system clock (settimeofday(2), stime(2), adjtimex(2)); set
real-time (hardware) clock.
CAP_SYS_TTY_CONFIG
Use vhangup(2); employ various privileged ioctl(2) operations
on virtual terminals.
CAP_SYSLOG (since Linux 2.6.37)
* Perform privileged syslog(2) operations. See syslog(2) for
information on which operations require privilege.
* View kernel addresses exposed via /proc and other interfaces
when /proc/sys/kernel/kptr_restrict has the value 1. (See
the discussion of the kptr_restrict in proc(5).)
CAP_WAKE_ALARM (since Linux 3.0)
Trigger something that will wake up the system (set
CLOCK_REALTIME_ALARM and CLOCK_BOOTTIME_ALARM timers).
30im Dateinamen?