From owner-freebsd-hackers Mon Jun 9 13:25:42 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id NAA12750 for hackers-outgoing; Mon, 9 Jun 1997 13:25:42 -0700 (PDT) Received: from prova.iet.unipi.it (prova1.iet.unipi.it [131.114.9.11]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id NAA12745 for ; Mon, 9 Jun 1997 13:25:30 -0700 (PDT) Received: from localhost (luigi@localhost) by prova.iet.unipi.it (8.8.5/8.8.5) with SMTP id WAA00420 for ; Mon, 9 Jun 1997 22:25:59 +0200 (CEST) Date: Mon, 9 Jun 1997 22:25:58 +0200 (CEST) From: Luigi Rizzo To: hackers@freebsd.org Subject: rtprio from non-root users ? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Hi, I am trying to allow non-root accounts to use CD-R devices. Although I might probably create some suid-root shell scripts, I don't like much the idea and I would prefer a different approach, i.e. limiting access to a group of allowed users and letting them to write their own scripts. I am running into a couple of problems, namely: 1) there is no command-level method (I think) to add groups to the credential of a user. Probably this is a more general problem, but fortunately this is only a nuisance, because it can be solved by making allowed users "su" to the username with rights to use the device. 2) (major problem) rtprio does not allow the necessary priority settings if not superuser; but it cannot be made suid root since it does not drop priority before execing the requested process. Of the following two fixes: a) modify the rtprio syscall so that it can set realtime priority for a restricted set of users (but then, how to configure this set ?); b) modify the rtprio(1) command so that it can run suid-root, by allowing RTP_SET for a configurable class of users (e.g. /etc/rtprio.users) and calling setuid to restore the real uid before calling execvp which one looks better ? I am in favour of b) , but I am not sure if it can cause security problems. Cheers Luigi ==================================================================== Luigi Rizzo Dip. di Ingegneria dell'Informazione email: luigi@iet.unipi.it Universita' di Pisa tel: +39-50-568533 via Diotisalvi 2, 56126 PISA (Italy) fax: +39-50-568522 http://www.iet.unipi.it/~luigi/ ====================================================================