My program is using the Linux system call setpriority() to change the priorities of the threads it creates. It needs to set negative priorities (-10) but, as mentioned on the documentation, this fails when run as a normal user.
我的程序使用Linux系统调用setpriority()来更改它创建的线程的优先级。它需要设置负优先级(-10),但是,如文档中所述,当以普通用户身份运行时,这会失败。
The user needs the CAP_SYS_NICE capability to be able to set the priorities as he wants, but I have no idea how to give such capability to the user.
用户需要CAP_SYS_NICE功能才能根据需要设置优先级,但我不知道如何为用户提供此类功能。
So my question: how to set CAP_SYS_NICE capability to a Linux user?
所以我的问题是:如何为Linux用户设置CAP_SYS_NICE功能?
4 个解决方案
#1
2
Jan Hudec is right that a process can't just give itself a capability, and a setuid wrapper is the obvious way get the capability. Also, keep in mind that you'll need to prctl(PR_SET_KEEPCAPS, ...) when you drop root. (See the prctl man page for details.) Otherwise, you'll drop the capability when you transition to your non-root real user id.
Jan Hudec是对的,一个进程不能只给自己一个功能,而setuid包装器是获得该功能的明显方式。另外,请记住,在删除root时需要prctl(PR_SET_KEEPCAPS,...)。 (有关详细信息,请参见prctl手册页。)否则,当您转换到非root真实用户ID时,您将删除该功能。
If you really just want to launch user sessions with a different allowed nice level, you might see the pam_limits and limits.conf man pages, as the pam_limits module allows you to change the hard nice limit. It could be a line like:
如果您真的只想启动具有不同允许级别的用户会话,您可能会看到pam_limits和limits.conf手册页,因为pam_limits模块允许您更改硬件限制。它可能是一条线:
yourspecialusername hard nice -10
#2
7
There is a nice handy utility for setting capabilities on a binary: setcap. This needs to be run as root on your application binary, but once set, can be run as a normal user. Example:
有一个非常方便的实用程序来设置二进制文件的功能:setcap。这需要在应用程序二进制文件上以root身份运行,但一旦设置,就可以作为普通用户运行。例:
$ sudo setcap 'cap_sys_nice=eip' <application>
You can confirm what capabilities are on an application using getcap:
您可以使用getcap确认应用程序的功能:
$ getcap <application>
<application> = cap_sys_nice+eip
I'd suggest integrating the capabilities into your makefile in the install line, which is typically run as root anyhow. Note that capabilities cannot be stored in a TAR file or any derivative package formats. If you do package your application later on, you will need a script (postinst for Debian packages) to apply the capability on deploy.
我建议将这些功能集成到安装行中的makefile中,无论如何通常以root身份运行。请注意,功能无法存储在TAR文件或任何衍生包格式中。如果您稍后打包应用程序,则需要一个脚本(Debian软件包的postinst)来应用部署功能。
#3
0
AFAIK It's not possible to get a capability. Root processes have all capabilities and can give them up, but once given up, they can't be regained. So you'll need a suid-root wrapper that will give up all other capabilities and run the process.
AFAIK无法获得能力。根进程具有所有功能并可以放弃,但一旦放弃,它们就无法恢复。因此,您需要一个suid-root包装器,它将放弃所有其他功能并运行该过程。
#4
0
Regarding sudo, I added the user like this:
关于sudo,我添加了这样的用户:
niceuser ALL=NOPASSWD:/usr/bin/nice
And then it worked fine:
然后它工作正常:
niceuser@localhost $ nice
0
niceuser@localhost $ sudo nice -n -10 nice
-10
#1
2
Jan Hudec is right that a process can't just give itself a capability, and a setuid wrapper is the obvious way get the capability. Also, keep in mind that you'll need to prctl(PR_SET_KEEPCAPS, ...) when you drop root. (See the prctl man page for details.) Otherwise, you'll drop the capability when you transition to your non-root real user id.
Jan Hudec是对的,一个进程不能只给自己一个功能,而setuid包装器是获得该功能的明显方式。另外,请记住,在删除root时需要prctl(PR_SET_KEEPCAPS,...)。 (有关详细信息,请参见prctl手册页。)否则,当您转换到非root真实用户ID时,您将删除该功能。
If you really just want to launch user sessions with a different allowed nice level, you might see the pam_limits and limits.conf man pages, as the pam_limits module allows you to change the hard nice limit. It could be a line like:
如果您真的只想启动具有不同允许级别的用户会话,您可能会看到pam_limits和limits.conf手册页,因为pam_limits模块允许您更改硬件限制。它可能是一条线:
yourspecialusername hard nice -10
#2
7
There is a nice handy utility for setting capabilities on a binary: setcap. This needs to be run as root on your application binary, but once set, can be run as a normal user. Example:
有一个非常方便的实用程序来设置二进制文件的功能:setcap。这需要在应用程序二进制文件上以root身份运行,但一旦设置,就可以作为普通用户运行。例:
$ sudo setcap 'cap_sys_nice=eip' <application>
You can confirm what capabilities are on an application using getcap:
您可以使用getcap确认应用程序的功能:
$ getcap <application>
<application> = cap_sys_nice+eip
I'd suggest integrating the capabilities into your makefile in the install line, which is typically run as root anyhow. Note that capabilities cannot be stored in a TAR file or any derivative package formats. If you do package your application later on, you will need a script (postinst for Debian packages) to apply the capability on deploy.
我建议将这些功能集成到安装行中的makefile中,无论如何通常以root身份运行。请注意,功能无法存储在TAR文件或任何衍生包格式中。如果您稍后打包应用程序,则需要一个脚本(Debian软件包的postinst)来应用部署功能。
#3
0
AFAIK It's not possible to get a capability. Root processes have all capabilities and can give them up, but once given up, they can't be regained. So you'll need a suid-root wrapper that will give up all other capabilities and run the process.
AFAIK无法获得能力。根进程具有所有功能并可以放弃,但一旦放弃,它们就无法恢复。因此,您需要一个suid-root包装器,它将放弃所有其他功能并运行该过程。
#4
0
Regarding sudo, I added the user like this:
关于sudo,我添加了这样的用户:
niceuser ALL=NOPASSWD:/usr/bin/nice
And then it worked fine:
然后它工作正常:
niceuser@localhost $ nice
0
niceuser@localhost $ sudo nice -n -10 nice
-10