From: Gilles Chanteperdrix <gilles.chanteperdrix@xenomai.org>
To: Jan Kiszka <jan.kiszka@domain.hid>
Cc: xenomai@xenomai.org
Subject: Re: [Xenomai-help] Xenomai and capabilities
Date: Mon, 11 Oct 2010 18:23:21 +0200 [thread overview]
Message-ID: <4CB339F9.5080202@domain.hid> (raw)
In-Reply-To: <4CB338AB.3070803@domain.hid>
Jan Kiszka wrote:
> Am 11.10.2010 18:11, Anders Blomdell wrote:
>> We are planning to extend our use of xenomai to a wider audience at our
>> department, and therefore I would like to know which is the better way to let
>> users run xenomai programs with a minimum of system privileges, the
>> possibilities I can see are:
>>
>> 1. Let the user run anything as root; simple but obviously a security nightmare.
>> 2. Write a suid program that let's its children inherit the right capabilities
>> and then does a seteuid and does an execve; unfortunately this implies that the
>> program that is execve'd has the right capabilties set [which has to be done by
>> the suid program as well], and this can only be done on filesystems that can
>> have extended attributes (i.e. no FAT, NFS, etc).
>> 3. Write a suid program that drops all unneeded privileges and then use dlopen
>> and friends to execute the user code.
>>
>> I guess that there exists better ways, so somebody please enlighten me.
>>
>
> A bit better, but not perfect:
>
> http://www.xenomai.org/index.php/Non-root_RT
>
> Combining this with mediated hardware access (robust drivers) and
> enabling the Xenomai watchdog should provide a reasonably safe&secure
> environment.
AFAIK, the BIG FAT warning at the bottom of this page still applies. You
can make an environment with no hardware lockups, but secure, I do not
think so. We do not know how Xenomai APIs could be exploited for a
non-root user to become root.
--
Gilles.
next prev parent reply other threads:[~2010-10-11 16:23 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-10-11 16:11 [Xenomai-help] Xenomai and capabilities Anders Blomdell
2010-10-11 16:17 ` Gilles Chanteperdrix
2010-10-11 16:17 ` Jan Kiszka
2010-10-11 16:23 ` Gilles Chanteperdrix [this message]
2010-10-11 16:44 ` Jan Kiszka
2010-10-11 16:49 ` Gilles Chanteperdrix
2010-10-11 16:58 ` Jan Kiszka
2010-10-12 9:25 ` Anders Blomdell
2010-10-12 10:23 ` Anders Blomdell
2010-10-12 12:56 ` Anders Blomdell
2010-10-12 13:53 ` Gilles Chanteperdrix
2010-10-12 14:42 ` Anders Blomdell
2010-10-12 14:57 ` Gilles Chanteperdrix
2010-10-12 15:29 ` Anders Blomdell
2010-10-12 15:41 ` Gilles Chanteperdrix
2010-10-12 15:33 ` Philippe Gerum
2010-10-12 17:20 ` Jan Kiszka
2010-10-12 18:01 ` Anders Blomdell
2010-10-12 18:13 ` Jan Kiszka
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4CB339F9.5080202@domain.hid \
--to=gilles.chanteperdrix@xenomai.org \
--cc=jan.kiszka@domain.hid \
--cc=xenomai@xenomai.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.