we have an x86 mainboard, which has some GPIOs that are accessible using MMIO (memory-mapped input/output). The I/O region is located at address 0xfd6d0680 and following (only one page).
The program works fine when executed as root (with sudo). But the call to mmap() fails when executing it as a normal user. This is expected in the normal case, but as far as I understand, it should work when the executable is given the CAP_SYS_RAWIO capability:
$ ./ipc_gpio out=0
Read board name: 'MX370QD'
ERROR: open '/dev/mem' failed: Permission denied (13)
$ sudo setcap CAP_SYS_RAWIO+ep ipc_gpio
$ ./ipc_gpio out=0
Read board name: 'MX370QD'
ERROR: open '/dev/mem' failed: Permission denied (13)
$ sudo ./ipc_gpio out=0
Read board name: 'MX370QD'
$ getcap ipc_gpio
ipc_gpio = cap_sys_rawio+ep
Are there other restrictions in place for this address region? Or is another capability required for this purpose?
I suppose that making the executable setuid root (or maybe setgid kmem) would work, but from a security point of view, I'd rather avoid going that far.
Thank you!
Best regards, Philipp
CAP_SYS_RAWIO isn't all you need to access /dev/mem. Its regular file permissions apply too. You either need CAP_DAC_READ_SEARCH (if you just want to read and not write), CAP_DAC_OVERRIDE, setgid kmem, or change the permissions or set file ACLs on /dev/mem.
Related
I'm trying to setup a code-server (vscode in browser) instance and read/write from a mounted samba share. Unfortunately when I try to add a file it gives me an error that I do not have permissions to read/write to that folder. When I try to add files with the same credentials on Windows it does work though. This is the error that VSCode gives me:
Unable to write file
'vscode-remote://localhost:8080/home/user/repository/test'
(NoPermissions (FileSystemError): Error: EACCES: permission denied,
open '/home/gmetitieri/user/test')
If I sudo touch file.txt then the file will be created and added. I already used chmod and added full access to the folder but it still won't work. Is this a credentials thing or am I missing something?
I already tried this answer but it still doesn't let me write as non-root
Edit: This is the command I used to mount the drive (just with different folder names and IP address):
sudo mount -t cifs -o rw,vers=3.0,credentials=/root/.examplecredentials //192.168.18.112/sharedDir /media/share
Considering "non-root through Samba", especially in new releases of OpenSuse (...15.3 -- 15.4), I do few movements into normal configuration panels (no sudo commands or anything technical).
Using Yast Firewall section -- For now (immediate solution):
I turn off the firewall, then see what you can turn on (after this) to keep the samba working with Microsoft Windows.
More details on how to do this with images on my website.
This happens when the directory on the Samba share does not have permission for non-root users.
In your smb4.conf file:
[test]
comment = Test share
path = /path/to/directory
force user = unixuser
valid users = sambauser
In this example, unixuser should be the owner of the files in /path/to/directory. The user logged into Samba in this example is a user called sambauser.
I have written my gpio driver and register it with the system using udev. This created all my device files but the permission they are created is 600. how can I change this default permission to 666 or any other. Since I have to run my program reading this file using sudo.
Should i write any rules in udev.. please explain.
Or should i change operating permission of my program within my program itself to root.
Update: my udev rules.d contains
40-scratch.rules:
ATTRS{idVendor}=="0694", ATTRS{idProduct}=="0003", SUBSYSTEMS=="usb", ACTION=="add", MODE="0666", GROUP="plugdev"
and 99-input.rules:
SUBSYSTEM=="input", GROUP="input", MODE="0660"
and udev.conf:
udev_log="err"
I have a process that fork-execlp "iptables-restore file.rules". It looks like it doesn't have the permission since I don't see some of the rules not listed like INPUT DROP after the process executes. When I run this process as a root, it seems to be fine but not when I run as a user with following capabilities:
parent process - cap_kill,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw+ei
child ( iptables-restore ) - cap_net_admin,cap_net_raw+ei
What is the capability that I am missing?
I just got the same issue. My suspicion is that the issue is not about capabilities, but about simple filesystem permissions. The error I see is:
Fatal: can't open lock file /run/xtables.lock: Permission denied
The file is owned by root:root, and is RW only by the owner. So either change the file ownership to a group and chmod g+rw or use an alternative lock location using The XTABLES_LOCKFILE environment variable (based on iptables manual).
If anyone has a different solution I would love to hear about it.
i am accessing another ununtu linux system by ssh
now when i am going to change the permission of any file in that system then it shows
chmod: changing permissions of `Android.mk': Read-only file system
chmod: changing permissions of `system_init.cpp': Read-only file system
i have tried with sudo and login as root but still not getting why i am not able to change the permission of that files.?
Well the error message states the reason pretty clearly. Have you checked how the filesystem in question is mounted? Is the ro mount option set by any chance? If you have root access you can remount the filesystem without the read-only option, if that is a sensible thing to do in this case. It must have a reason why the fileystem was mounted read-only in the first place.
In an embedded system (2.4 kernel) I need raw socket access to the eth0 interface from a process not running as root.
I tried to address this problem by setting the CAP_NET_RAW capability from the command line and programmatically using cap_set_proc(), both with no success. It seems that I do not have the permission to do so, in the program I get an EPERM error, on the command line
Failed to set cap's on process `1586': (Operation not permitted)
Is there an easier way to do what I want? If not, what steps are necessary to successfully set the CAP_NET_RAW capability?
EDIT: I have root access, but running the process permanently as root is no option. The version of libcap is 1.10, there is no 'setcap' binary, but a 'setpcaps'.
EDIT - answering George Skoptsov:
If I get you right, your suggestion is to start a process with setuid, then set the CAP_NET_RAW capability and then drop the privileges. I tried this with the following code, but it does not seem to work, even though the caps command do not return errors. With the seteuid() commented out, raw access works, but only since the process is running as root then:
cap_t caps = cap_get_proc();
cap_value_t cap_list[1];
cap_list[0] = CAP_NET_RAW;
if (cap_set_flag(caps, CAP_EFFECTIVE, 1, cap_list, CAP_SET) == -1)
{
printf("cap_set_flag error");
}
if (cap_set_proc(caps) == -1)
{
printf("cap_set_proc error");
}
if (seteuid(getuid()) != 0)
{
printf("seteuid error");
}
function_that_needs_raw_access();
Thanks for your help.
Chris
Generally, you need root permissions to receive raw packets on an interface. This restriction is a security precaution, because a process that receives raw packets gains access to communications of all other processes and users using that interface.
However, if you have access to root on the machine, you can use the setuid flag to give your process root privileges even when the process is executed as a non-root user.
First, ensure that this capability is set successfully when the process is run as root. Then use
sudo chown root process
sudo chmod ugo+s process
to set root as owner of the process and set the setuid flag. Then check that the capability is set when the process is run by other users. Because this process will now have all superuser privileges, you should observe security precautions, and drop the privileges as soon as your code no longer requires it (after enabling the CAP_NET_RAW).
You can follow this method to ensure you're dropping them properly.
You can give an executable program the ability to use the CAP_NET_RAW privilege without giving it other root privileges.
$ setcap cap_net_raw=pe *program*
You cannot give this privilege without having this privilege. Certainly root can give this privilege to programs.
The process must be run as root, or have the CAP_NET_RAW capabilities on the executable.
In order to set CAP_NET_RAW, you need to run the setcap command as root. Once set, you can run the executable as another user, and it'll have access to raw packet capturing.
If you do not have root access in anyway, nor can get anyone with root access to set CAP_NET_RAW or setuid root on the executable, you'll not be able to do packet capturing as a non-root user.
TL;DR IMHO not supported in kernel < 3.0.
There was a discussion about supporting it in kernel netdev mailing list:
https://lwn.net/Articles/420800/ and https://lwn.net/Articles/420801/.
And included it in commit
c319b4d76b9e583a5d88d6bf190e079c4e43213d, released in kernel 3.0:
commit c319b4d76b9e583a5d88d6bf190e079c4e43213d
Author: Vasiliy Kulikov <segoon#openwall.com>
Date: Fri May 13 10:01:00 2011 +0000
net: ipv4: add IPPROTO_ICMP socket kind
Follows: v2.6.39-rc2
Precedes: v3.0-rc1
Running ping without CAP_NET_RAW (i.e. without setting capabilities or without set-uid) was implemented for ping in revision 87dbb3a5db657d5eae6934707beaf0507980a1c3, released in iputils s20150815:
commit 87dbb3a5db657d5eae6934707beaf0507980a1c3
Author: Nikos Mavrogiannopoulos <nmav#redhat.com>
Date: Fri May 29 11:01:00 2015 +0200
This patch allows running ping and ping6 without root privileges on
kernels that support it. Almost identical to Lorenzo
Colitti's original patch except:
...
Follows: s20140519
Precedes: s20150815