我的第一個建議是檢查返回值setpriority()
以查看它是否返回錯誤。我的期望是,它通過返回-1
指示錯誤,並且檢查errno
將顯示EACCES
是指示調用方沒有所需特權的錯誤。
有三種方式來解決這個問題:
1)使執行SUID root或使用sudo運行它(不安全)。
2)授予可執行文件的能力CAP_SYS_NICE
(例如sudo setcap cap_sys_nice=ep <executable>
)。
3)調整外殼(ulimit
)或用戶(取決於發行版/etc/security/limits.conf
)的硬件和軟件限制。或者只是調整硬限制,讓程序調整軟限制。
請注意,SUID和文件功能在使用nosuid
(經常是加密的主目錄)安裝的分區上無效。
編輯:@TrentP指出,你可以放棄特權。下面是一些代碼,是如何做到這一點公平的例子,然而它可以用於實時優先級:
/*
* Set_policy_priority
*
* This is used to set the priority and policy for the real-time
* scheduler. This normally requires some form of privilege, as the
* default hard ulimit of 0 will prevent an unprivileged program from
* doing so.
*
* The most secure thing to do is grant the executable the potential
* to enable CAP_SYS_RESOURCE (with sudo setcap cap_sys_resource=p
* <executable>). If it is needed, this routine will enable the
* capability, raise the hard limit, and then irrevocably drop the
* privilege.
*
*/
int set_policy_priority(int policy, int priority, int nofiles) {
const cap_value_t cap_vector[1] = { CAP_SYS_RESOURCE };
cap_t privilege_dropped = cap_init();
cap_t privilege_off = cap_dup(privilege_dropped);
cap_set_flag(privilege_off, CAP_PERMITTED, 1, cap_vector, CAP_SET);
cap_t privilege_on = cap_dup(privilege_off);
cap_set_flag(privilege_on, CAP_EFFECTIVE, 1, cap_vector, CAP_SET);
struct sched_param param;
struct rlimit rl;
int e, min, max;
// See if priority we want is in the range offered by SCHED_FIFO
min = sched_get_priority_min(policy);
max = sched_get_priority_max(policy);
if (verbose) {
fprintf(stderr, "For policy SCHED_FIFO min priority is %d, max is %d.\n", min, max);
}
if ((min>priority)||(max<priority)) {
fprintf(stderr, "Desired priority of %d is out of range.\n", priority);
return 1;
}
// See if the RTPRIO limits allows the priority we want
if (getrlimit(RLIMIT_RTPRIO, &rl) != 0) {
e = errno;
fprintf(stderr, "Failed to getrlimit(): %s.\n", strerror(e));
return 1;
}
if (verbose) {
fprintf(stderr, "RTPRIO soft limit is %d, hard is %d.\n",
(int) rl.rlim_cur, (int) rl.rlim_max);
}
// Adjust hard limit if necessary
if (rl.rlim_max < priority) {
if (cap_set_proc(privilege_on) != 0) {
fprintf(stderr, "Need to raise RTPRIO hard limit, but can't enable CAP_SYS_RESOURCE.\n");
return 1;
}
rl.rlim_max = priority;
if (setrlimit(RLIMIT_RTPRIO, &rl) != 0) {
e = errno;
fprintf(stderr, "Failed to raise hard limit for RTPRIO to %d: %s.\n",
(int) rl.rlim_max, strerror(e));
return 1;
}
if (cap_set_proc(privilege_off)) {
fprintf(stderr, "Failed to turn off privileges.\n");
return 1;
}
if (verbose) {
printf("Raised hard limit for RTPRIO to %d.\n", (int) rl.rlim_max);
}
}
// Adjust soft limit if necessary
if (rl.rlim_cur < priority) {
rl.rlim_cur = priority;
if (setrlimit(RLIMIT_RTPRIO, &rl) != 0) {
e = errno;
fprintf(stderr, "Failed to raise soft limit for RTPRIO to %d: %s.\n",
(int) rl.rlim_cur, strerror(e));
return 1;
}
if (verbose) {
printf("Raised soft limit for RTPRIO to %d.\n", (int) rl.rlim_cur);
}
}
// Set desired priority with class SCHED_FIFO
param.sched_priority = priority;
if (sched_setscheduler(0, policy, ¶m) != 0) {
e = errno;
fprintf(stderr, "Setting policy failed: %s.\n", strerror(e));
return 1;
} else if (verbose) {
printf("Set policy SCHED_FIFO, priority %d.\n", param.sched_priority);
}
// See if the NOFILE limits allows the number of fds we want
if (getrlimit(RLIMIT_NOFILE, &rl) != 0) {
e = errno;
fprintf(stderr, "Failed to getrlimit(): %s.\n", strerror(e));
return 1;
}
if (verbose) {
fprintf(stderr, "NOFILE soft limit is %d, hard is %d.\n",
(int) rl.rlim_cur, (int) rl.rlim_max);
}
// Adjust hard limit if necessary
if (rl.rlim_max < nofiles) {
if (cap_set_proc(privilege_on) != 0) {
fprintf(stderr, "Need to raise NOFILE hard limit, but can't enable CAP_SYS_RESOURCE.\n");
return 1;
}
rl.rlim_max = nofiles;
if (setrlimit(RLIMIT_NOFILE, &rl) != 0) {
e = errno;
fprintf(stderr, "Failed to raise hard limit for NOFILE to %d: %s.\n",
(int) rl.rlim_max, strerror(e));
return 1;
}
if (cap_set_proc(privilege_off)) {
fprintf(stderr, "Failed to turn off privileges.\n");
return 1;
}
if (verbose) {
printf("Raised hard limit for NOFILE to %d.\n", (int) rl.rlim_max);
}
}
// Adjust soft limit if necessary
if (rl.rlim_cur < nofiles) {
rl.rlim_cur = nofiles;
if (setrlimit(RLIMIT_NOFILE, &rl) != 0) {
e = errno;
fprintf(stderr, "Failed to raise soft limit for NOFILE to %d: %s.\n",
(int) rl.rlim_cur, strerror(e));
return 1;
}
if (verbose) {
printf("Raised soft limit for NOFILE to %d.\n", (int) rl.rlim_cur);
}
}
if (cap_set_proc(privilege_dropped)) {
fprintf(stderr, "Failed to turn irrevocably drop privileges.\n");
return 1;
}
return 0;
}
作爲對1和2的變化,可以使可執行文件是setuid root,然後放棄了root權限和個seteuid到非root用戶,但以保持CAP_SYS_NICE(而不是其他權限)的方式進行。 – TrentP
謝謝,我還發現「sudo ./a.out」也可以工作。而你的「sudo setcap cap_sys_nice ep = a.out」也可以(永遠)。 –
@HindForsum編輯將sudo添加到setuid解決方案。 –