如何为 Linux 用户设置 CAP_SYS_NICE 功能?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/7635515/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to set CAP_SYS_NICE capability to a Linux user?
提问by CJlano
My program is using the Linux system call setpriority()to change the priorities of the threads it creates. It needs to set negative priorities (-10) but, as mentioned on the documentation, this fails when run as a normal user.
我的程序正在使用 Linux 系统调用setpriority()来更改它创建的线程的优先级。它需要设置负优先级 (-10),但正如文档中所述,以普通用户身份运行时会失败。
The user needs the CAP_SYS_NICEcapability to be able to set the priorities as he wants, but I have no idea how to give such capability to the user.
用户需要CAP_SYS_NICE能够根据需要设置优先级的能力,但我不知道如何将这种能力赋予用户。
So my question: how to set CAP_SYS_NICEcapability to a Linux user?
所以我的问题是:如何为CAP_SYS_NICELinux 用户设置功能?
采纳答案by mkj
Jan Hudec is right that a process can't just give itself a capability, and a setuid wrapper is the obvious way get the capability. Also, keep in mind that you'll need to prctl(PR_SET_KEEPCAPS, ...)when you drop root. (See the prctlman page for details.) Otherwise, you'll drop the capability when you transition to your non-root real user id.
Jan Hudec 是对的,一个进程不能只给自己一个能力,而 setuid 包装器是获得能力的明显方式。另外,请记住,prctl(PR_SET_KEEPCAPS, ...)当您删除 root 时需要这样做。(有关prctl详细信息,请参阅手册页。)否则,当您转换为非 root 真实用户 ID 时,您将放弃该功能。
If you really just want to launch user sessions with a different allowed nice level, you might see the pam_limitsand limits.confman pages, as the pam_limitsmodule allows you to change the hard nice limit. It could be a line like:
如果您真的只想以不同的允许 nice 级别启动用户会话,您可能会看到pam_limits和limits.conf手册页,因为该pam_limits模块允许您更改 hard nice 限制。它可能是这样的一行:
yourspecialusername hard nice -10
回答by Jan Hudec
AFAIK It's not possible to get a capability. Root processes have all capabilities and can give them up, but once given up, they can't be regained. So you'll need a suid-root wrapper that will give up all other capabilities and run the process.
AFAIK 不可能获得能力。根进程拥有所有能力,可以放弃,但一旦放弃,就无法重新获得。因此,您将需要一个 suid-root 包装器,它将放弃所有其他功能并运行该过程。
回答by squeegee
Regarding sudo, I added the user like this:
关于sudo,我添加了这样的用户:
niceuser ALL=NOPASSWD:/usr/bin/nice
And then it worked fine:
然后它工作正常:
niceuser@localhost $ nice
0
niceuser@localhost $ sudo nice -n -10 nice
-10
回答by Ryan Armstrong
There is a nice handy utility for setting capabilities on a binary: setcap. This needs to be run as root on your application binary, but once set, can be run as a normal user. Example:
有一个非常方便的实用程序可用于在二进制文件上设置功能:setcap。这需要在您的应用程序二进制文件上以 root 身份运行,但一旦设置,就可以以普通用户身份运行。例子:
$ sudo setcap 'cap_sys_nice=eip' <application>
You can confirm what capabilities are on an application using getcap:
您可以使用 getcap 确认应用程序具有哪些功能:
$ getcap <application>
<application> = cap_sys_nice+eip
I'd suggest integrating the capabilities into your makefile in the install line, which is typically run as root anyhow. Note that capabilities cannot be stored in a TAR file or any derivative package formats. If you do package your application later on, you will need a script (postinst for Debian packages) to apply the capability on deploy.
我建议将这些功能集成到安装行中的 makefile 中,该行通常以 root 身份运行。请注意,功能不能存储在 TAR 文件或任何衍生的包格式中。如果您稍后打包您的应用程序,您将需要一个脚本(用于 Debian 软件包的 postinst)来在部署时应用该功能。
