Hi All,
I have to install an application which needs access to system BIOS information.
The application needs to be installed by non root user.
How would i grant read privileges of /dev/mem file to the non root user so that it can capture system BIOS information while running the application?
Using Linux OS.
Kindly assist.
Neo
August 9, 2018, 3:04am
2
It would be more secure to copy the data from a secure area (on root has access) to a non secure area (where the not root user has access) and then permit the non root user to access the data.
As far a /dev/mem
goes, I recommend you only copy the data that the non root user needs to access for the task.
It would be a huge security violation to permit not root users to access /dev/mem
.
Cheers.
Hi Neo,
Thanks for the suggestion but its a vendor application ( binary file ) which cannot be modified to read the /dev/mem information from a different path.
Regards
------ Post updated at 01:26 PM ------
Also the vendor is suggesting to use the below command to grant privilege -
usermod -K defaultpriv=basic,file_dac_read <non root user>
But i cant find -K option for usermod command. It says invalid option.
Is there any alternate command or option to grant the same rights to the non root user like above?
Thanks in advance!!
Neo
August 9, 2018, 5:05am
4
I would not use usermod for this. It's not secure to permit users access to /dev/mem.
That is a total violation of the Linux kernel security model, having user processes access memory directly with using the root level system calls.
Who is the vendor and what is the product they are attempting to use in this insecure mode?
I agree with you.
Vendor is Hyland and the product is Perceptive Content 7.1 ( formerly known as Imagenow ).
Keeping aside the data/security violations, if we need to test if it working or not how do we achieve that? Can you help with the right commands ?
Neo
August 9, 2018, 5:29am
6
I checked the docs for this app (attached), and there is no requirement anywhere in the doc for the Linux server side app to need to modify users to permit root access to kernel memory.
The main reason anyone would be trying to get you to do this is that they have set up the system "wrong" and have a permissions (access) problem, which is typical of less experienced sys admins.
Then, instead of solving the core problem (a file permissions issue or incorrect user setup, etc), they are asking you to grant a user root access to kernel memory.
This is a terrible idea.
You need to get to Hyland's system programmers and let them help you solve this problem, because the Hyland techs working with you now do not seem to understand how to troubleshoot a permissions issues on their app.
Do you have root access to this Linux machine?
Neo
August 9, 2018, 5:53am
8
The instructions are pretty clear in that doc you added:
Before running Perceptive Content Server as a non-root user on a shadowed system, you need to configure Role Based Access Control (RBAC) or an Access Control List (ACL).
If your Linux distributor offers RBAC as a supported package or embeds it into the Linux Kernel, you can use the configuration options detailed in the following sections of this document. Otherwise, to achieve rootless authentication, you need to download a third party RBAC kernel module from a trusted source.
Verify that the RBAC kernel provides the roles necessary to read your shadowed passwd file, and can provide read access to /dev/mem. While you can grant ACL read privileges to /etc/shadow, a kernel module/patch is required to grant read privileges to /dev/mem and cannot be granted with ACL privileges alone.
If you are unable to locate a trustable source or you are concerned about security issues with downloading a third party RBAC kernel module, you can use the built in security features of Perceptive
Content to release root privileges and run as another user after server initialization. To use these built insecurity features, you need to configure daemons to run on a non-root user account.
Did you verify your Linux kernel has been built to permit RBAC per the instructions?
Yes just now i realized a point i missed "to run as a daemon".
One more help, according to the guide -
Start Perceptive Content as a non-root user
There are security risks with running Perceptive Content under your root user account. Linux and UNIX
systems always start at the root user level. To start Perceptive Content as a non-root user, complete the
following steps.
Prerequisite Configure your Role Based Access Control (RBAC) or Access Control List (ACL), or
configure daemons to run on a non-root user account
When you install Perceptive Content, change the ownership of all files to <username>:bin, where
<username> is the user you want as the owner instead of root. The following example changes the
ownership of all files to the user imgnow.
chown -R imgnow:bin ./inserver
In the rc.local/init.d startup script, run the daemons as the user you created. In the examples in this
guide, the user is imgnow
How do i run the daemons as the non root user? what changes i have to make in rc.local/init.d ?
Neo
August 9, 2018, 6:34am
10
Yes just now i realized a point i missed "to run as a daemon".
One more help, according to the guide -
How do i run the daemons as the non root user? what changes i have to make in rc.local/init.d ?
I suggest you search the forums for "how to start daemons" or similar searches.
That's a pretty basic question that was probably asked 10 years ago.
Neo
August 9, 2018, 6:46am
11
HINT:
Most software packages have a command line option to start the program as a daemon process and also a flag for what userid to run as.
Example:
/usr/local/bin/myprogram -D -u myUserID
Or something like that.
Just read the docs on the app you are trying to run.
HINT2:
Visit your directory /etc/rc.d
and read the startup files in there.
Neo
August 9, 2018, 6:47am
12
HINT3:
Here is a file from a Linux server:
root@www:/etc/rc.d/init.d# ls
monitorix
root@www:/etc/rc.d/init.d# cat monito*
#!/bin/bash
#
# /etc/rc.d/init.d/monitorix
#
# Starts the Monitorix daemon
#
# chkconfig: 2345 99 10
# description: Monitorix is a lightweight system monitoring tool
# processname: monitorix
# config: /etc/monitorix.conf
# pidfile: /var/run/monitorix.pid
### BEGIN INIT INFO
# Provides: monitorix
# Required-Start: $local_fs
# Required-Stop: $local_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Start up the Monitorix daemon
# Description: Monitorix is a free, open source, lightweight system
# monitoring tool designed to monitor as many services and
# system resources as possible.
### END INIT INFO
# Source function library
. /etc/init.d/functions
if [ -f /etc/sysconfig/monitorix -a $UID -eq 0 ]; then
. /etc/sysconfig/monitorix
fi
RETVAL=0
PROG="monitorix"
DAEMON="/usr/bin/monitorix"
PIDFILE="/var/run/monitorix.pid"
CONF="/etc/monitorix.conf"
start() {
if [ ! -f /var/lock/subsys/$PROG ] ; then
echo -n $"Starting $PROG: "
daemon $DAEMON -c $CONF -p $PIDFILE $OPTIONS && success || failure
RETVAL=$?
if [ $RETVAL -eq 0 ] ; then
touch /var/lock/subsys/$PROG
echo
fi
fi
}
stop() {
echo -n $"Stopping $PROG: "
killproc $PROG
RETVAL=$?
rm -f /var/lock/subsys/$PROG
rm -f $PIDFILE
echo
}
restart() {
stop
start
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
restart
;;
condrestart)
if [ -f /var/lock/subsys/$PROG ] ; then
restart
fi
;;
status)
status $PROG
;;
*)
echo $"Usage: $0 {start|stop|restart|condrestart|status}"
exit 1
esac
exit $RETVAL
Reading the files on your Linux server will provide you with a vast amount of knowledge.
1 Like
Yes a great help indeed!!
Thanks a lot Neo!!
Neo
August 9, 2018, 7:01am
14
This stuff is really easy if you just slow down a bit and read the instructions.
It's hard to believe, I know.. but it's actually faster to do it slower, LOL