Project Home
Project Home		 Documents
Documents		 Wiki
Wiki		 Discussion Forums
Discussions		 Project Information
Project Info
QNX Operating System/Discussion/OSTech/procmgr_ability()/List of Posts
Forum Topic - procmgr_ability(): (4 Items)
   
Update
Geoff Roberts
04/11/2021 3:05 AM
post121372
procmgr_ability()   
I am trying to get a process (resource manager) to successfully call resmgr_attach() without failing with EPERM. The 
process is not owned by root and not executed by a root user.

The following - based on an example I found - and what I interpret from the procmgr_ability() documentation - is not 
working for me. procmgr_ability() always returns 1 (EPERM) and errno is set to  (EOK).

procmgr_ability(0, PROCMGR_ADN_NONROOT | PROCMGR_AOP_ ALLOW | PROCMGR_AID_ABLE_PRIV,
                             PROCMGR_ADN_NONROOT | PROCMGR_AOP_ALLOW  | PROCMGR_AID_PATHSPACE |
                             PROCMGR_AID_EOL);

As far as I know the program doesn't have the abilities locked (why would it?) and there are no "temporary ID's.

All I want to do is create /dev/something without the process being owned and executed by root. I don't want it owned by
 root and then set the "set UID on execution bit" if I can avoid it (chown 0:0 program;chmod a+s program) as this seems 
to defeat the reason for procmgr_ability() to exist! :-)

What am I doing wrong? What am I missing? 

Thanks,

Geoff.
Elad Lahav
04/11/2021 7:13 AM
post121373
Re: procmgr_ability()   
Abilities would not be worth much if you could just add them ;-)
Your options:
1. Start the resource manager from a process that has the necessary ability and marks it as inherited. Note that "on" 
can do that for processes started from the build file or from a shell script.
2. Use security policies to give the resource manager the necessary abilities.

(2) is the recommended way for a secure system as it is more robust and can be audited. On the other hand, it does 
require extra tools and more up-front set up.

--Elad
Elad Lahav
04/11/2021 7:14 AM
post121374
Re: procmgr_ability()   
By the way, there is some discussion here, though it seems to tell you more about how not to do stuff than on how to do 
it:

http://www.qnx.com/developers/docs/7.1/index.html#com.qnx.doc.neutrino.prog/topic/process_Ability_inheritance.html

--Elad
Geoff Roberts
04/12/2021 3:53 AM
post121375
Re: procmgr_ability()   
Thanks Elad. It was as I suspected: I had missed something. Something being the "Security Policy"! :-)  
procmgr_abilities() and associated bits and pieces are new to me having come from QNX6 and previous versions.

Your option 2 is exactly what I want to do - option 1 does not appeal to me. I will need to digest this new material and
 see how I go. Due to other things I need to do it may be a few days.

Geoff.

Return


  A subsidiary of BlackBerry             All content ©2004-2013, QNX Software Systems