Hi All,
I have to install an application which needs access to system BIOS information.
The application needs to be installed by non root user.
How would i grant read privileges of /dev/mem file to the non root user so that it can capture system BIOS information while running the application?
Using Linux OS.
Kindly assist.
It would be more secure to copy the data from a secure area (on root has access) to a non secure area (where the not root user has access) and then permit the non root user to access the data.
As far a /dev/mem goes, I recommend you only copy the data that the non root user needs to access for the task.
It would be a huge security violation to permit not root users to access /dev/mem .
Cheers.
Hi Neo,
Thanks for the suggestion but its a vendor application ( binary file ) which cannot be modified to read the /dev/mem information from a different path.
Regards
------ Post updated at 01:26 PM ------
Also the vendor is suggesting to use the below command to grant privilege -
usermod -K defaultpriv=basic,file_dac_read <non root user>
But i cant find -K option for usermod command. It says invalid option.
Is there any alternate command or option to grant the same rights to the non root user like above?
Thanks in advance!!
I would not use usermod for this. It's not secure to permit users access to /dev/mem.
That is a total violation of the Linux kernel security model, having user processes access memory directly with using the root level system calls.
Who is the vendor and what is the product they are attempting to use in this insecure mode?
I agree with you.
Vendor is Hyland and the product is Perceptive Content 7.1 ( formerly known as Imagenow ).
Keeping aside the data/security violations, if we need to test if it working or not how do we achieve that? Can you help with the right commands ?
I checked the docs for this app (attached), and there is no requirement anywhere in the doc for the Linux server side app to need to modify users to permit root access to kernel memory.
The main reason anyone would be trying to get you to do this is that they have set up the system "wrong" and have a permissions (access) problem, which is typical of less experienced sys admins.
Then, instead of solving the core problem (a file permissions issue or incorrect user setup, etc), they are asking you to grant a user root access to kernel memory.
This is a terrible idea.
You need to get to Hyland's system programmers and let them help you solve this problem, because the Hyland techs working with you now do not seem to understand how to troubleshoot a permissions issues on their app.
Do you have root access to this Linux machine?
Sure, the development team from Hyland is working on the same.
They have given the best practice guide to follow ( attached ).
The instructions are pretty clear in that doc you added:
Did you verify your Linux kernel has been built to permit RBAC per the instructions?
Yes just now i realized a point i missed "to run as a daemon".
One more help, according to the guide -
How do i run the daemons as the non root user? what changes i have to make in rc.local/init.d ?
I suggest you search the forums for "how to start daemons" or similar searches.
That's a pretty basic question that was probably asked 10 years ago.
HINT:
Most software packages have a command line option to start the program as a daemon process and also a flag for what userid to run as.
Example:
/usr/local/bin/myprogram -D -u myUserID
Or something like that.
Just read the docs on the app you are trying to run.
HINT2:
Visit your directory /etc/rc.d and read the startup files in there.
HINT3:
Here is a file from a Linux server:
root@www:/etc/rc.d/init.d# ls
monitorix
root@www:/etc/rc.d/init.d# cat monito*
#!/bin/bash
#
# /etc/rc.d/init.d/monitorix
#
# Starts the Monitorix daemon
#
# chkconfig: 2345 99 10
# description: Monitorix is a lightweight system monitoring tool
# processname: monitorix
# config: /etc/monitorix.conf
# pidfile: /var/run/monitorix.pid
### BEGIN INIT INFO
# Provides: monitorix
# Required-Start: $local_fs
# Required-Stop: $local_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Start up the Monitorix daemon
# Description: Monitorix is a free, open source, lightweight system
# monitoring tool designed to monitor as many services and
# system resources as possible.
### END INIT INFO
# Source function library
. /etc/init.d/functions
if [ -f /etc/sysconfig/monitorix -a $UID -eq 0 ]; then
. /etc/sysconfig/monitorix
fi
RETVAL=0
PROG="monitorix"
DAEMON="/usr/bin/monitorix"
PIDFILE="/var/run/monitorix.pid"
CONF="/etc/monitorix.conf"
start() {
if [ ! -f /var/lock/subsys/$PROG ] ; then
echo -n $"Starting $PROG: "
daemon $DAEMON -c $CONF -p $PIDFILE $OPTIONS && success || failure
RETVAL=$?
if [ $RETVAL -eq 0 ] ; then
touch /var/lock/subsys/$PROG
echo
fi
fi
}
stop() {
echo -n $"Stopping $PROG: "
killproc $PROG
RETVAL=$?
rm -f /var/lock/subsys/$PROG
rm -f $PIDFILE
echo
}
restart() {
stop
start
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
restart
;;
condrestart)
if [ -f /var/lock/subsys/$PROG ] ; then
restart
fi
;;
status)
status $PROG
;;
*)
echo $"Usage: $0 {start|stop|restart|condrestart|status}"
exit 1
esac
exit $RETVAL
Reading the files on your Linux server will provide you with a vast amount of knowledge.
Yes a great help indeed!!
Thanks a lot Neo!!
This stuff is really easy if you just slow down a bit and read the instructions.
It's hard to believe, I know.. but it's actually faster to do it slower, LOL