Re: Modifying kernel so that non-root users have some root capabilities

From: Roger Larsson
Date: Tue May 25 2004 - 18:50:51 EST

Next message: Christian Kujau: "Re: Installing 2.6.6 on hp zx6000"
Previous message: Andrey Nekrasov: "sata promise and software raid5..."
In reply to: Bill Davidsen: "Re: Modifying kernel so that non-root users have some root capabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> I've been tasked with modifying a 2.4 kernel so that a non-root user can
> do the following:
>
> Dynamically change the priorities of processes (up and down)
> Lock processes in memory
> Can change process cpu affinity
>
> Anyone got any ideas about how I could start doing this? (I'm new to
> kernel development, btw.)

Audio development folks has a SELinux module that does almost this.

"The latest version of the realtime Linux Security Module is now
available on SourceForge...

http://prdownloads.sourceforge.net/realtime-lsm/realtime-lsm-0.1.1.tar.gz?download

This release handles changes to the capabilities structure introduced
in Linux 2.6.6, but still works with earlier 2.6 kernels. There are
no functional changes. Unless you are running 2.6.6, there is no need
to upgrade. Changes in the 2.6.6 kernel makefiles affect the
procedure for building the realtime-lsm. Please consult the INSTALL
instructions for details.

The realtime LSM is an installable kernel module that enables realtime
capabilities for any 2.6 kernel without needing to directly patch the
kernel. It was written by Torben Hohn and Jack O'Quin, who make no
warranty concerning the safety, security or even stability of your
system when using it. It is provided under the provisions of the GPL.
--
joq"

Usage like this:
"Once the LSM has been installed and the kernel for which it was built
is running, the root user can load it and pass parameters as follows:

# modprobe realtime any=1

Any program can request realtime privileges. This allows any local
user to crash the system by hogging the CPU in a tight loop or
locking down too much memory. But, it is simple to administer. :-)

# modprobe realtime gid=29

All users belonging to group 29 and programs that are setgid to that
group have realtime privileges. Use any group number you like.

# modprobe realtime mlock=0

Grants realtime scheduling privileges without the ability to lock
memory using mlock() or mlockall() system calls. This option can be
used in conjunction with any of the other options.
"

/RogerL
(not subscribed but reading archives now and then)

--
Roger Larsson
Skellefteå
Sweden
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Christian Kujau: "Re: Installing 2.6.6 on hp zx6000"
Previous message: Andrey Nekrasov: "sata promise and software raid5..."
In reply to: Bill Davidsen: "Re: Modifying kernel so that non-root users have some root capabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]