I have a user-level C++ test application running on a linux mobile device. One of the test involves enabling/disabling printer paper sensor which requires root privileges writing on a device file. Is there a way to grant my application that kind of privilege? If none, is there a workaround for that?
我有一个在Linux移动设备上运行的用户级C ++测试应用程序。其中一项测试涉及启用/禁用打印机纸张传感器,该传感器需要在设备文件上写入root权限。有没有办法授予我的应用程序这种特权?如果没有,是否有解决方法?
4 个解决方案
#1
3
This will do,
这样做,
as root execute:
以root身份执行:
chown -v root:root /path/to/yourapp
chmod -v 4755 /path/to/yourapp
or alternatively
chmod -v u+s /path/to/yourapp
or alternatively
man chmod
This will not work with scripts. And yes, you should take seriously what jdizzle said about dropping unnecessary privileges.
这不适用于脚本。是的,你应该认真对待jdizzle关于删除不必要特权的内容。
Another way to solve this is to make the user who runs the application a member of the group that owns the device file. For example,
解决此问题的另一种方法是使运行应用程序的用户成为拥有设备文件的组的成员。例如,
ls -la /dev/devicefile
crw-rw---- 1 root printer 4, 0 may 6 10:56 /dev/devicefile
members of the printer group can read and write to the device, so you just need to add joe to the printer group (and restart the session).
打印机组的成员可以读取和写入设备,因此您只需要将joe添加到打印机组(并重新启动会话)。
gpasswd -a joe printer
If you need to adjust the devicefile permissions, you probably will need to edit udev rules to make it permanent. But chmod should work too.
如果需要调整设备文件权限,则可能需要编辑udev规则以使其永久化。但是chmod也应该工作。
Other options worth investigating: setcap(8) (nice guide here) and sudo(8).
值得研究的其他选择:setcap(8)(这里很好的指南)和sudo(8)。
#2
2
You can set the program setuid root, which means it will always run as root even when run by a user. This typically requires special care to drop privileges inside the program once the necessary actions requiring root access are completed.
您可以设置程序setuid root,这意味着即使用户运行它也始终以root身份运行。一旦完成需要root访问的必要操作,通常需要特别注意在程序内删除权限。
#3
1
You could also have a helper program, itself setuid root -or with appropriate capabilities, or started thru sudo- which communicate with the printer. Your main application would fork & exec that program and communicate with it thru pipes, so it should not be itself running as root.
你也可以有一个帮助程序,它本身就是setuid root -or,具有适当的功能,或者通过sudo启动 - 它与打印机通信。您的主应用程序将fork和exec该程序并通过管道与它通信,因此它本身不应该以root身份运行。
The helper program would be a simple executable (with appropriate capabilities) which would only be started by your main application (not directly by the user) and communicate with it thru pipes or program arguments, etc.
辅助程序将是一个简单的可执行程序(具有适当的功能),它只能由您的主应用程序启动(不是由用户直接启动),并通过管道或程序参数等与它通信。
A lot of graphical administrative programs are done likewise: the graphical part is a program separated from the administrative part, and they communicate appropriately. Only the administrative program (usually existing command line programs like adduser) need special privilege.
许多图形管理程序同样完成:图形部分是与管理部分分离的程序,它们进行适当的通信。只有管理程序(通常是现有的命令行程序,如adduser)需要特殊权限。
#4
-2
you should definitey try to avoid running your program as "root", as this would not only allow your program to read/write /dev/sensordevice but it would grant access to virtually everything on your system (including the ability to completely brick it)
你应该明确地试着避免以“root”的形式运行你的程序,因为这不仅允许你的程序读/写/ dev / sensordevice,而且它可以授予你系统中几乎所有内容的访问权限(包括完全阻止它的能力)
you should therefore try to add fine-grained access to just the ressource you need, using proper groups and making sure that your device-file grants your group write access. see (e.g.) udev on how to write a proper udev rule, that grants write access for a certain device to a given group.
因此,您应该尝试使用适当的组添加对所需资源的细粒度访问,并确保您的设备文件授予您的组写访问权限。请参阅(例如)关于如何编写正确的udev规则的udev,该规则授予特定设备对给定组的写访问权限。
#1
3
This will do,
这样做,
as root execute:
以root身份执行:
chown -v root:root /path/to/yourapp
chmod -v 4755 /path/to/yourapp
or alternatively
chmod -v u+s /path/to/yourapp
or alternatively
man chmod
This will not work with scripts. And yes, you should take seriously what jdizzle said about dropping unnecessary privileges.
这不适用于脚本。是的,你应该认真对待jdizzle关于删除不必要特权的内容。
Another way to solve this is to make the user who runs the application a member of the group that owns the device file. For example,
解决此问题的另一种方法是使运行应用程序的用户成为拥有设备文件的组的成员。例如,
ls -la /dev/devicefile
crw-rw---- 1 root printer 4, 0 may 6 10:56 /dev/devicefile
members of the printer group can read and write to the device, so you just need to add joe to the printer group (and restart the session).
打印机组的成员可以读取和写入设备,因此您只需要将joe添加到打印机组(并重新启动会话)。
gpasswd -a joe printer
If you need to adjust the devicefile permissions, you probably will need to edit udev rules to make it permanent. But chmod should work too.
如果需要调整设备文件权限,则可能需要编辑udev规则以使其永久化。但是chmod也应该工作。
Other options worth investigating: setcap(8) (nice guide here) and sudo(8).
值得研究的其他选择:setcap(8)(这里很好的指南)和sudo(8)。
#2
2
You can set the program setuid root, which means it will always run as root even when run by a user. This typically requires special care to drop privileges inside the program once the necessary actions requiring root access are completed.
您可以设置程序setuid root,这意味着即使用户运行它也始终以root身份运行。一旦完成需要root访问的必要操作,通常需要特别注意在程序内删除权限。
#3
1
You could also have a helper program, itself setuid root -or with appropriate capabilities, or started thru sudo- which communicate with the printer. Your main application would fork & exec that program and communicate with it thru pipes, so it should not be itself running as root.
你也可以有一个帮助程序,它本身就是setuid root -or,具有适当的功能,或者通过sudo启动 - 它与打印机通信。您的主应用程序将fork和exec该程序并通过管道与它通信,因此它本身不应该以root身份运行。
The helper program would be a simple executable (with appropriate capabilities) which would only be started by your main application (not directly by the user) and communicate with it thru pipes or program arguments, etc.
辅助程序将是一个简单的可执行程序(具有适当的功能),它只能由您的主应用程序启动(不是由用户直接启动),并通过管道或程序参数等与它通信。
A lot of graphical administrative programs are done likewise: the graphical part is a program separated from the administrative part, and they communicate appropriately. Only the administrative program (usually existing command line programs like adduser) need special privilege.
许多图形管理程序同样完成:图形部分是与管理部分分离的程序,它们进行适当的通信。只有管理程序(通常是现有的命令行程序,如adduser)需要特殊权限。
#4
-2
you should definitey try to avoid running your program as "root", as this would not only allow your program to read/write /dev/sensordevice but it would grant access to virtually everything on your system (including the ability to completely brick it)
你应该明确地试着避免以“root”的形式运行你的程序,因为这不仅允许你的程序读/写/ dev / sensordevice,而且它可以授予你系统中几乎所有内容的访问权限(包括完全阻止它的能力)
you should therefore try to add fine-grained access to just the ressource you need, using proper groups and making sure that your device-file grants your group write access. see (e.g.) udev on how to write a proper udev rule, that grants write access for a certain device to a given group.
因此,您应该尝试使用适当的组添加对所需资源的细粒度访问,并确保您的设备文件授予您的组写访问权限。请参阅(例如)关于如何编写正确的udev规则的udev,该规则授予特定设备对给定组的写访问权限。