I want write a c program.And a common user(not in root group) will run this program. In this program,I call fread(/dev/sdc...) and fwrite(/dev/sdc),but this call will return "permission no allow".If I use the root user,will be ok. How to change to the authority to root's?
I know the root's password.
Quoting wk (304702903@qq.com):
I want write a c program.And a common user(not in root group) will run this program. In this program,I call fread(/dev/sdc...) and fwrite(/dev/sdc),but this call will return "permission no allow".If I use the root user,will be ok. How to change to the authority to root's?
I know the root's password.
Offhand I suspect what you need is CAP_SYS_RAWIO (maybe CAP_SYS_ADMIN). But I don't know how your program is designed so am not sure how to best give your program that privilege:
1. Make program setuid root, have it immediately switch to nonroot and keep root in your saved uid so you can move it back to euid when you need to write /dev/sdc. (man setresuid) 2. Put CAP_SYS_RAWIO in fP (or fI if you can put it in the calling user's pI), then have your program put the capability into pE just when it needs to write to /dev/sdc. (man 7 capabilities) 3. Write a separate minimal partially privileged helper program which answers requests by your main program. Then you could use selinux to enforce an assured pipeline to prevent anyone else using the helper. (google privilege separation)
-serge
On Tue, Dec 02, 2008 at 05:21:24PM +0800, wk wrote:
I want write a c program.And a common user(not in root group) will run this program. In this program,I call fread(/dev/sdc...) and fwrite(/dev/sdc),but this call will return "permission no allow".If I use the root user,will be ok. How to change to the authority to root's? I know the root's password.
Your best bet is "sudo" or better look at the pairs of tools like:
/usr/bin/system-config-bind /usr/sbin/system-config-bind
They take advantage of "consolehelper" and the commone case that /usr/sbin is not in the search path of commmon users but /usr/bin is.
Note well, From the man page: consolehelper requires that a PAM configuration for every managed pro- gram exist. So to make /sbin/foo or /usr/sbin/foo managed, you need to create a link from /usr/bin/foo to /usr/bin/consolehelper and create the file /etc/pam.d/foo, normally using the pam_console(8) PAM module.
selinux@lists.fedoraproject.org