![]() The /dev/mem object is basically the entire memory space on the system. Then gives the group read write access to this /dev/mem object. This changes the owner and group of /dev/mem to root and gpio respectively. The page on Authorization Services Tasks has some elaborate discussion of this (and related) functions.I can answer this. On OS X, you can use the AuthorizationExecuteWithPrivileges function. The privileged code needs to verify the security of every operation it needs to do but as this code is small compared to the unprivileged code this should be reasonably easy. The corresponding privileged code uses stdin/stdout as its end of the comlink. Now the unprivileged code talks to the privileged code via the fd comlink (which is a connected socket). ![]() Rtn = unprivileged_client(argc, argv, sockets) Socketpair(AF_INET, SOCK_STREAM, 0) /* or is it AF_UNIX? */ Int unprivileged_client(int argc, char **argv, int comlink) One way of managing this so that attacks against your program are hard is to minimize the code that runs as root like so: int privileged_server(int argc, char **argv) Normally this is done by making your binary suid-root. You will, of course, need to take reasonable precautions that it can't be invoked outside of your master program. ![]() I believe (but haven't tried this) that you could install your program as root with the setuid bit on, immediately reduce privilege, and then restore privilege as needed (it's possible, however, that once you lower your privilege you won't be able to restore it).Ī better solution is to break out the piece of your program that needs to run as root, and install it with the setuid bit turned on. While your program is running with root privileges, you can call the setuid(2) system call to change your effective userid to some non-privileged user. If you run ls -l on sudo, you'll see that it is installed that way: -rwsr-xr-x 2 root root 123504 18:22 /usr/bin/sudo The usual way that you do this is to install the program with the "setuid" bit set: this runs the program with the effective userid of the file owner. You can't gain root privileges, you must start out with them and reduce your privileges as needed. Using capabilities, you can limit the use of this exploit, and save yourself and your company from security-related scrutiny. This matters because as a programmer, your code is obviously perfect! But, the libraries on which you depend (sigh, if only you'd written them!) might have vulnerabilities in them. Fedora has a feature to completely remove setuid binaries with indiscriminate root access. For example CAP_SYS_MODULE will allow you to insert kernel modules, but give you no other root powers. POSIX capabilities allow your application to be granted a subset of root's powers. These are different to capability-based security as implemented in L4 et al. My original answer stands (although my 2013 self might make a better job of it than my 2010 one), but if you are designing an application that requires root access, you may want to consider exactly what sort of root access is needed and consider the use of POSIX Capabilities (man page). It's only for very specific operations (mounting etc) that root privileges are truly needed. A lot of daemons etc are also set up under modern systems to run as their own user with most of the privileges they need. I don't think there's a way to easily programmatically gain root access - after all, applying the principle of least privilege, why would you need to? Common practise is to run only limited parts of code with elevated privileges. The sudo process, for example, geteuid should return 0 (root) and getuid your user's id, however, its sub-processes do truly run as root (you can verify this with sudo id -u -r). Wikipedia has an article on it which even shows you the difference between geteuid() and getuid() quite effectively, the former being for finding out who you're "emulating" and the latter for who you "are". You might consider the setuid switch on the executable itself.
0 Comments
Leave a Reply. |