LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > Programming
User Name
Password
Programming This forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.

Notices


Reply
  Search this Thread
Old 10-06-2010, 07:41 AM   #1
iprion
LQ Newbie
 
Registered: Oct 2010
Posts: 4

Rep: Reputation: 0
Linux capabilities: how to use only CAP_SYS_TIME?


Is it possible to change system time (using C function settimeofday for example) without setting the executable user id to root ? I've found that this might be solved using linux capability CAP_SYS_TIME, but I don't know how to enable this capability. "setpcaps" tool can do that on a running process, but is there a way to to that permanently on the executable itself ??
 
Old 10-06-2010, 10:48 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582
Some tasks are done by root-owned processes for a reason. So for what reason exactly would you want to elevate a process other than root to include CAP_SYS_TIME?
 
Old 10-07-2010, 02:42 AM   #3
iprion
LQ Newbie
 
Registered: Oct 2010
Posts: 4

Original Poster
Rep: Reputation: 0
This software will run on a production site 24h a day, will manipulate several devices, will write massive amount of data, operators will be able to export chunk of data ... and it seems reasonable to limit accessible devices and directories ... to remove potential issues. But this software has to timestamped written data using system clock, and a special type of external clock. This external clock delivers precise date and time on a regular basis, and so, when a delta is detected between system time and external clock time I have to adjust system time. But for now I'm only able to do that by running the software with root privileges.
 
Old 10-07-2010, 03:38 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582
The ancient adage of separate tools and purposes and performing tasks well goes for this as well, doesn't it? I mean if you're going to adjtime() then aren't you trying to replace ntpd? The NTP daemon does getcap() then setcap() dropping everything from the processes three capability bounding tables to end up with only CAP_SYS_TIME. I'll move this to the Programming forum as that's a more appropriate place for discussing use of capabilities and syscalls and I suggest you look at the ntpd source.
 
1 members found this post helpful.
Old 10-07-2010, 04:35 AM   #5
iprion
LQ Newbie
 
Registered: Oct 2010
Posts: 4

Original Poster
Rep: Reputation: 0
Unfortunately we can't use ntpd since the machine won't be connected to any network. I see that ntpd has to be run with root privileges and then is just keeping cap_sys_time capability. So it means you need a root access to run it. In my case I wanted the operator that will run the software not to have root access to the machine but maybe it is not possible.
 
Old 10-07-2010, 06:08 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582
Quote:
Originally Posted by iprion View Post
Unfortunately we can't use ntpd since the machine won't be connected to any network.
Bummer.


Quote:
Originally Posted by iprion View Post
I see that ntpd has to be run with root privileges and then is just keeping cap_sys_time capability.
If you can't have or allow the full capability set to start out with or have a higher privileged process grant the other CAP_SYS_TIME then the only way, without setting the executable user id to root, as you originally asked for would be some in-kernel framework. IIRC without setuid root or usrland tools GRSecurity's RBAC should be able to do something like:
Code:
subject /path/to/process {
        /dev               rx
        /proc              rx

        -CAP_ALL
        +CAP_SYS_TIME
 
1 members found this post helpful.
Old 10-07-2010, 09:12 AM   #7
iprion
LQ Newbie
 
Registered: Oct 2010
Posts: 4

Original Poster
Rep: Reputation: 0
Patching the kernel is not the easiest option for us, so I think I'll run my software as root and reuse ntdp code to switch to an unprivileged user and group and add cap_sys_time capability. Thank's a lot for all the hints !
 
Old 10-07-2010, 09:16 AM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582
Yeah, I thought that wouldn't fly. Good luck with it!
 
Old 10-10-2010, 03:39 AM   #9
honeybadger
Member
 
Registered: Aug 2007
Location: India
Distribution: Slackware (mainly) and then a lot of others...
Posts: 855

Rep: Reputation: Disabled
Hi,
I understand that the issue has been resolved but I think there is another thing that may help. I understand I may be wrong so please correct me.
1) If you are using a red hat based system then /etc/sysconfig might help.
2) In any case would we not be able to use sudo so that we can give these rights to a perticular group?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Is there any Linux Distro with Multimedia Capabilities xlnt Linux - Newbie 14 12-19-2006 12:26 PM
Linux Dual-Head Capabilities tvynr Linux - Software 2 11-27-2006 06:01 PM
Multi-User Linux Capabilities Baryonic Being Linux - General 11 08-27-2004 12:18 PM
How to enable linux filesystem capabilities for kernel 2.24.18 toubo Linux - General 8 08-20-2004 10:09 AM
Linux multiuser capabilities for one user? mlhammer Linux - Newbie 4 11-10-2003 09:41 PM

LinuxQuestions.org > Forums > Non-*NIX Forums > Programming

All times are GMT -5. The time now is 06:18 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration