Setting up a daemon to access files in the /dev directory.

yankeeinga · 12-17-2008, 11:20 AM

Hi all,

I'm not sure if this is the right forum, so if it isn't please let me know.

I am working on a commercial product that runs on Linux. Currently the program is run as root so it can access the tape drive mounted on /dev/st0 (or /dev/nst0). However, I want to run it as another user (similar to how the mysql server is run as user mysql.)

If I am not mistaken, running such a program as root can be a security risk.

My question is how to go about writing setup scripts so the daemon user can access the tape drives. Do I need to add the daemon user to a group?

Also, it is possible that the tape drive will be swapped out and that more than one file descriptor in /dev will be used. Can you give me any pointers in how to deal with this.

Thank you.

Regards,

Mike

jschiwal · 12-18-2008, 09:05 PM

Not an expert, but I don't think it would be proper for an application to change the ownership, group ownership, permissions or acls on a device node, if that is what you are thinking of doing. You didn't indicate this however.

I tried looking for Policies covering tape devices, and looked in /etc/udev/rules.d/60-persistent-storage-tape.rules for clues. Some distro's may use policy kit to allow a regular user matching certain criteria to read and write to the /dev/st0 or /dev/nst0 devices. PolicyKit grants access by using facls.
For example:

Code:

ls -ld /dev/dsp
crw-rw----+ 1 root audio 14, 3 Dec  6 07:35 /dev/dsp
jschiwal@hpmedia:/etc/udev/rules.d> getfacl /dev/dsp
getfacl: Removing leading '/' from absolute path names
# file: dev/dsp
# owner: root
# group: audio
user::rw-
user:jschiwal:rw-
group::rw-
mask::rw-
other::---

A service could start out as root and then demote it's own permissions. I think that "disk" group membership would allow writing to the tape device, but it would also allow writing to any disk.

If this application is a gui app, you might want to split it into a gui client running as the user and a service daemon running as root, or disk or your system group you mentioned. One technique is to start out as root and then demote ones self as soon as possible. You could spawn a process of your "system user" and keep the old process running a root, to be able to send control commands to the tape device.

If your application is a backup program, and needs to backup root-only readable files, then it will probably need to be run as root.

Perhaps study how amanda or a simlar program works. There is an Amanda user and it uses the disk group.

Quote:

Originally Posted by file:///usr/share/doc/howto/en/html/Linux-Complete-Backup-and-Recovery-HOWTO/overview.html

Amanda does require setting ownership by hand if you back up the amanda data directory with save.metadata. Something like:
bash# chown -R amanda:disk /var/lib/amanda

Sorry, I can't be of more help. Good Luck!

yankeeinga · 12-19-2008, 09:10 AM

jschiwal, I think that is EXACTLY what I needed. So I guess my instinct of adding the daemon uid to the disk group was on the right track. I also need to write an installation script, so using setfacl might be another option to access /dev/st0.

However given that there is a possibility that the tape drives will move around in the /dev directory, changing the group of the executable seems to be the best option.

I've been using Linux for years, however my admin skills are admittedly weak.

Thanks again.