デバイスファイルへの非ルートユーザーアクセスを許可する方法


15

/dev特定のボードが差し込まれたときに表示されるデバイスファイルがあります。読み取りおよび書き込み操作は問題なく機能しますが、デバイスファイルを開くには、ルート権限でプログラムを実行する必要があります。すべての非ルートユーザーがsudoを使用せずにこの特定のデバイスファイルを開くことができる方法はありますか?

回答:


16

はい、udevルールを記述できます。

では/etc/udev/rules.d、メイクファイル30-mydevice.rules(番号は0から99までである必要があり、唯一の順序を実行しているスクリプトについて決定し、名前は本当に問題で、それだけで説明的である必要がありません。.rules拡張子はかかわらず、必要とされます)

この例では、デバイスがUSBベースであり、ベンダーと製品ID(を使用して確認できますlsusb -v)を知ってmydeviceおり、ユーザーがデバイスを使用するために必要なグループを使用していると仮定しています。その場合、これはファイルの内容です:

SUBSYSTEM=="usb", SYSFS{idVendor}=="0123", SYSFS{idProduct}=="4567", ACTION=="add", GROUP="mydevice", MODE="0664"

MODE 0664に等しいと、デバイスの所有者(おそらくルート)と定義されたグループがデバイスに書き込むことができます。


ルールファイル名での番号の役割は何ですか?つまり30、ファイル名に?
Saeidヤズダニ

これらの構成ファイルはアルファベット順にロードされます。実際のファイル名の前に数字を付けることで、それらがロードされる順序を定義できます。
パオロ

3

1つの方法は、ユーザーを対応する「devivce-group」に追加することです。Linuxには、さまざまな種類のデバイス(ディスク、フロッピー、tty、ビデオ、cdromなど)のグループがすべて揃っているため、/ etc / groupの対応するグループにユーザーを追加できます。

もう1つの方法は、「疑似ユーザー」(例:games-user)を作成することです。このユーザーを、必要なデバイスグループに追加します。最後に、特定のプログラム(画像をスキャンするプログラムなど)の所有者をこのユーザーに変更し、「chmod u + s」を設定します。これにより、プログラムは実際のユーザーではなく擬似ユーザーとして実行され、デバイスにアクセスできるようになります。プログラムのグループを使用して、プログラムを実行できるユーザーを制限できます。

最後に、特定のデバイスを必要とするプログラムのグループをデバイスグループに設定し、「chmod g + s」を設定できます。これにより、プログラムはグループの権限(グループを実行する通常のユーザーの権限に加えて)で実行されるため、デバイスへの拡張アクセスが許可されます。


-1

はい、できますが、最初にルート権限が必要です。Linux 2.2以降、機能があり、ルート権限を分割して使用します。リストの下では、次を使用できます。

setcap cap_net_raw,cap_net_admin=eip xxxx

xxxxは任意の実行可能プログラムです。自分でlibpcapを呼び出すことができます。

機能リスト次のリストは、Linuxに実装されている機能、および各機能が許可する操作または動作を示しています。

   CAP_AUDIT_CONTROL (since Linux 2.6.11)
          Enable and disable kernel auditing; change auditing filter
          rules; retrieve auditing status and filtering rules.

   CAP_AUDIT_READ (since Linux 3.16)
          Allow reading the audit log via a multicast netlink socket.

   CAP_AUDIT_WRITE (since Linux 2.6.11)
          Write records to kernel auditing log.

   CAP_BLOCK_SUSPEND (since Linux 3.5)
          Employ features that can block system suspend (epoll(7)
          EPOLLWAKEUP, /proc/sys/wake_lock).

   CAP_CHOWN
          Make arbitrary changes to file UIDs and GIDs (see chown(2)).

   CAP_DAC_OVERRIDE
          Bypass file read, write, and execute permission checks.  (DAC
          is an abbreviation of "discretionary access control".)

   CAP_DAC_READ_SEARCH
          * Bypass file read permission checks and directory read and
            execute permission checks;
          * invoke open_by_handle_at(2);
          * use the linkat(2) AT_EMPTY_PATH flag to create a link to a
            file referred to by a file descriptor.

   CAP_FOWNER
          * Bypass permission checks on operations that normally require
            the filesystem UID of the process to match the UID of the
            file (e.g., chmod(2), utime(2)), excluding those operations
            covered by CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH;
          * set inode flags (see ioctl_iflags(2)) on arbitrary files;
          * set Access Control Lists (ACLs) on arbitrary files;
          * ignore directory sticky bit on file deletion;
          * specify O_NOATIME for arbitrary files in open(2) and
            fcntl(2).

   CAP_FSETID
          * Don't clear set-user-ID and set-group-ID mode bits when a
            file is modified;
          * set the set-group-ID bit for a file whose GID does not match
            the filesystem or any of the supplementary GIDs of the
            calling process.

   CAP_IPC_LOCK
          Lock memory (mlock(2), mlockall(2), mmap(2), shmctl(2)).

   CAP_IPC_OWNER
          Bypass permission checks for operations on System V IPC
          objects.

   CAP_KILL
          Bypass permission checks for sending signals (see kill(2)).
          This includes use of the ioctl(2) KDSIGACCEPT operation.

   CAP_LEASE (since Linux 2.4)
          Establish leases on arbitrary files (see fcntl(2)).

   CAP_LINUX_IMMUTABLE
          Set the FS_APPEND_FL and FS_IMMUTABLE_FL inode flags (see
          ioctl_iflags(2)).

   CAP_MAC_ADMIN (since Linux 2.6.25)
          Allow MAC configuration or state changes.  Implemented for the
          Smack Linux Security Module (LSM).

   CAP_MAC_OVERRIDE (since Linux 2.6.25)
          Override Mandatory Access Control (MAC).  Implemented for the
          Smack LSM.

   CAP_MKNOD (since Linux 2.4)
          Create special files using mknod(2).

   CAP_NET_ADMIN
          Perform various network-related operations:
          * interface configuration;
          * administration of IP firewall, masquerading, and accounting;
          * modify routing tables;
          * bind to any address for transparent proxying;
          * set type-of-service (TOS)
          * clear driver statistics;
          * set promiscuous mode;
          * enabling multicasting;
          * use setsockopt(2) to set the following socket options:
            SO_DEBUG, SO_MARK, SO_PRIORITY (for a priority outside the
            range 0 to 6), SO_RCVBUFFORCE, and SO_SNDBUFFORCE.

   CAP_NET_BIND_SERVICE
          Bind a socket to Internet domain privileged ports (port
          numbers less than 1024).

   CAP_NET_BROADCAST
          (Unused)  Make socket broadcasts, and listen to multicasts.

   CAP_NET_RAW
          * Use RAW and PACKET sockets;
          * bind to any address for transparent proxying.

   CAP_SETGID
          * Make arbitrary manipulations of process GIDs and
            supplementary GID list;
          * forge GID when passing socket credentials via UNIX domain
            sockets;
          * write a group ID mapping in a user namespace (see
            user_namespaces(7)).

   CAP_SETFCAP (since Linux 2.6.24)
          Set file capabilities.

   CAP_SETPCAP
          If file capabilities are not supported: grant or remove any
          capability in the caller's permitted capability set to or from
          any other process.  (This property of CAP_SETPCAP is not
          available when the kernel is configured to support file
          capabilities, since CAP_SETPCAP has entirely different
          semantics for such kernels.)

          If file capabilities are supported: add any capability from
          the calling thread's bounding set to its inheritable set; drop
          capabilities from the bounding set (via prctl(2)
          PR_CAPBSET_DROP); make changes to the securebits flags.

   CAP_SETUID
          * Make arbitrary manipulations of process UIDs (setuid(2),
            setreuid(2), setresuid(2), setfsuid(2));
          * forge UID when passing socket credentials via UNIX domain
            sockets;
          * write a user ID mapping in a user namespace (see
            user_namespaces(7)).

   CAP_SYS_ADMIN
          Note: this capability is overloaded; see Notes to kernel
          developers, below.

          * Perform a range of system administration operations
            including: quotactl(2), mount(2), umount(2), swapon(2),
            setdomainname(2);
          * perform privileged syslog(2) operations (since Linux 2.6.37,
            CAP_SYSLOG should be used to permit such operations);
          * perform VM86_REQUEST_IRQ vm86(2) command;
          * perform IPC_SET and IPC_RMID operations on arbitrary System
            V IPC objects;
          * override RLIMIT_NPROC resource limit;
          * perform operations on trusted and security Extended
            Attributes (see xattr(7));
          * use lookup_dcookie(2);
          * use ioprio_set(2) to assign IOPRIO_CLASS_RT and (before
            Linux 2.6.25) IOPRIO_CLASS_IDLE I/O scheduling classes;
          * forge PID when passing socket credentials via UNIX domain
            sockets;
          * exceed /proc/sys/fs/file-max, the system-wide limit on the
            number of open files, in system calls that open files (e.g.,
            accept(2), execve(2), open(2), pipe(2));
          * employ CLONE_* flags that create new namespaces with
            clone(2) and unshare(2) (but, since Linux 3.8, creating user
            namespaces does not require any capability);
          * call perf_event_open(2);
          * access privileged perf event information;
          * call setns(2) (requires CAP_SYS_ADMIN in the target
            namespace);
          * call fanotify_init(2);
          * call bpf(2);
          * perform privileged KEYCTL_CHOWN and KEYCTL_SETPERM keyctl(2)
            operations;
          * use ptrace(2) PTRACE_SECCOMP_GET_FILTER to dump a tracees
            seccomp filters;
          * perform madvise(2) MADV_HWPOISON operation;
          * employ the TIOCSTI ioctl(2) to insert characters into the
            input queue of a terminal other than the caller's
            controlling terminal;
          * employ the obsolete nfsservctl(2) system call;
          * employ the obsolete bdflush(2) system call;
          * perform various privileged block-device ioctl(2) operations;
          * perform various privileged filesystem ioctl(2) operations;
          * perform privileged ioctl(2) operations on the /dev/random
            device (see random(4));
          * install a seccomp(2) filter without first having to set the
            no_new_privs thread attribute;
          * modify allow/deny rules for device control groups;
          * employ the ptrace(2) PTRACE_SECCOMP_GET_FILTER operation to
            dump tracee's seccomp filters;
          * employ the ptrace(2) PTRACE_SETOPTIONS operation to suspend
            the tracee's seccomp protections (i.e., the
            PTRACE_O_SUSPEND_SECCOMP flag).
          * perform administrative operations on many device drivers.

   CAP_SYS_BOOT
          Use reboot(2) and kexec_load(2).

   CAP_SYS_CHROOT
          Use chroot(2).

   CAP_SYS_MODULE
          * Load and unload kernel modules (see init_module(2) and
            delete_module(2));
          * in kernels before 2.6.25: drop capabilities from the system-
            wide capability bounding set.

   CAP_SYS_NICE
          * Raise process nice value (nice(2), setpriority(2)) and
            change the nice value for arbitrary processes;
          * set real-time scheduling policies for calling process, and
            set scheduling policies and priorities for arbitrary
            processes (sched_setscheduler(2), sched_setparam(2),
            shed_setattr(2));
          * set CPU affinity for arbitrary processes
            (sched_setaffinity(2));
          * set I/O scheduling class and priority for arbitrary
            processes (ioprio_set(2));
          * apply migrate_pages(2) to arbitrary processes and allow
            processes to be migrated to arbitrary nodes;
          * apply move_pages(2) to arbitrary processes;
          * use the MPOL_MF_MOVE_ALL flag with mbind(2) and
            move_pages(2).

   CAP_SYS_PACCT
          Use acct(2).

   CAP_SYS_PTRACE
          * Trace arbitrary processes using ptrace(2);
          * apply get_robust_list(2) to arbitrary processes;
          * transfer data to or from the memory of arbitrary processes
            using process_vm_writev(2);
          * inspect processes using kcmp(2).

   CAP_SYS_RAWIO
          * Perform I/O port operations (iopl(2) and ioperm(2));
          * access /proc/kcore;
          * employ the FIBMAP ioctl(2) operation;
          * open devices for accessing x86 model-specific registers
            (MSRs, see msr(4));
          * update /proc/sys/vm/mmap_min_addr;
          * create memory mappings at addresses below the value
            specified by /proc/sys/vm/mmap_min_addr;
          * map files in /proc/bus/pci;
          * open /dev/mem and /dev/kmem;
          * perform various SCSI device commands;
          * perform certain operations on hpsa(4) and cciss(4) devices;
          * perform a range of device-specific operations on other
            devices.

   CAP_SYS_RESOURCE
          * Use reserved space on ext2 filesystems;
          * make ioctl(2) calls controlling ext3 journaling;
          * override disk quota limits;
          * increase resource limits (see setrlimit(2));
          * override RLIMIT_NPROC resource limit;
          * override maximum number of consoles on console allocation;
          * override maximum number of keymaps;
          * allow more than 64hz interrupts from the real-time clock;
          * raise msg_qbytes limit for a System V message queue above
            the limit in /proc/sys/kernel/msgmnb (see msgop(2) and
            msgctl(2));
          * allow the RLIMIT_NOFILE resource limit on the number of "in-
            flight" file descriptors to be bypassed when passing file
            descriptors to another process via a UNIX domain socket (see
            unix(7));
          * override the /proc/sys/fs/pipe-size-max limit when setting
            the capacity of a pipe using the F_SETPIPE_SZ fcntl(2)
            command.
          * use F_SETPIPE_SZ to increase the capacity of a pipe above
            the limit specified by /proc/sys/fs/pipe-max-size;
          * override /proc/sys/fs/mqueue/queues_max limit when creating
            POSIX message queues (see mq_overview(7));
          * employ the prctl(2) PR_SET_MM operation;
          * set /proc/[pid]/oom_score_adj to a value lower than the
            value last set by a process with CAP_SYS_RESOURCE.

   CAP_SYS_TIME
          Set system clock (settimeofday(2), stime(2), adjtimex(2)); set
          real-time (hardware) clock.

   CAP_SYS_TTY_CONFIG
          Use vhangup(2); employ various privileged ioctl(2) operations
          on virtual terminals.

   CAP_SYSLOG (since Linux 2.6.37)
          * Perform privileged syslog(2) operations.  See syslog(2) for
            information on which operations require privilege.
          * View kernel addresses exposed via /proc and other interfaces
            when /proc/sys/kernel/kptr_restrict has the value 1.  (See
            the discussion of the kptr_restrict in proc(5).)

   CAP_WAKE_ALARM (since Linux 3.0)
          Trigger something that will wake up the system (set
          CLOCK_REALTIME_ALARM and CLOCK_BOOTTIME_ALARM timers).
弊社のサイトを使用することにより、あなたは弊社のクッキーポリシーおよびプライバシーポリシーを読み、理解したものとみなされます。
Licensed under cc by-sa 3.0 with attribution required.