All geek questions in one place

How to set CAP_SYS_NICE features for Linux user?

My program uses the Linux setpriority() system call to change the priorities of the threads it creates. It should set negative priorities (-10), but as mentioned in the documentation, this fails to start as a regular user.

The user needs the CAP_SYS_NICE in order to be able to set priorities at his discretion, but I don’t know how to provide this option to the user.

So my question is: how to set the CAP_SYS_NICE for a Linux user?

+6
source share
4 answers

Jan Hudek is right that the process cannot just give itself an opportunity, and the setuid shell is an obvious way to get this opportunity. Also, keep in mind that you need prctl(PR_SET_KEEPCAPS, ...) when uninstalling root. (For more information, see the prctl man page.) Otherwise, you will refuse the possibility of accessing your non-root user ID.

If you really want to start user sessions with a different acceptable good level, you can see the pam_limits and limits.conf man pages, as the pam_limits module allows you to change the hard limit. It could be a line like:

 yourspecialusername hard nice -10
+2
source

There is a good handy utility for setting options in a binary file: setcap. This should run as root in the binary application of your application, but after installing it, it can run as a regular user. Example:

 $ sudo setcap 'cap_sys_nice=eip' <application>

You can confirm what features are available in the application using getcap:

 $ getcap <application> <application> = cap_sys_nice+eip

I would suggest integrating features into your makefile on the installation line, which usually runs as root. Please note that features cannot be stored in a TAR file or in any derived package formats. If you later pack your application, you will need a script (postinst for Debian packages) to apply the deployment capabilities.

+4
source

AFAIK Unable to get the opportunity. Root processes have all possibilities and can refuse them, but after their refusal they cannot be restored. Therefore, you will need a suid-root shell that will give up all other features and start the process.

0
source

As for sudo, I added the user as follows:

 niceuser ALL=NOPASSWD:/usr/bin/nice

And then it worked fine:

 niceuser@localhost $ nice 0 niceuser@localhost $ sudo nice -n -10 nice -10
0
source

Source: https://habr.com/ru/post/898519/

More articles:


All Articles