'Re: Modifying kernel so that non-root users have some root capabilities'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       linux-kernel
Subject:    Re: Modifying kernel so that non-root users have some root capabilities
From:       Roger Larsson <roger.larsson () skelleftea ! mail ! telia ! com>
Date:       2004-05-25 23:43:06
Message-ID: 200405260143.06439.roger.larsson () skelleftea ! mail ! telia ! com
[Download RAW message or body]

> I've been tasked with modifying a 2.4 kernel so that a non-root user can
> do the following:
> 
> Dynamically change the priorities of processes (up and down)
> Lock processes in memory
> Can change process cpu affinity
> 
> Anyone got any ideas about how I could start doing this? (I'm new to
> kernel development, btw.)

Audio development folks has a SELinux module that does almost this.

"The latest version of the realtime Linux Security Module is now
available on SourceForge...

  
http://prdownloads.sourceforge.net/realtime-lsm/realtime-lsm-0.1.1.tar.gz?download

This release handles changes to the capabilities structure introduced
in Linux 2.6.6, but still works with earlier 2.6 kernels.  There are
no functional changes.  Unless you are running 2.6.6, there is no need
to upgrade.  Changes in the 2.6.6 kernel makefiles affect the
procedure for building the realtime-lsm.  Please consult the INSTALL
instructions for details.

The realtime LSM is an installable kernel module that enables realtime
capabilities for any 2.6 kernel without needing to directly patch the
kernel.  It was written by Torben Hohn and Jack O'Quin, who make no
warranty concerning the safety, security or even stability of your
system when using it.  It is provided under the provisions of the GPL.
-- 
  joq"

Usage like this:
"Once the LSM has been installed and the kernel for which it was built
is running, the root user can load it and pass parameters as follows:

  # modprobe realtime any=1

  Any program can request realtime privileges.  This allows any local
  user to crash the system by hogging the CPU in a tight loop or
  locking down too much memory.  But, it is simple to administer.  :-)

  # modprobe realtime gid=29

  All users belonging to group 29 and programs that are setgid to that
  group have realtime privileges.  Use any group number you like.

  # modprobe realtime mlock=0

  Grants realtime scheduling privileges without the ability to lock
  memory using mlock() or mlockall() system calls.  This option can be
  used in conjunction with any of the other options.
"

/RogerL
(not subscribed but reading archives now and then)

-- 
Roger Larsson
Skellefteå
Sweden
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic