Parallel Port Linux Security Robot Arm
Results 1 to 5 of 5

Thread: Parallel Port Linux Security Robot Arm

  1. #1
    Senior Member
    Join Date
    Jul 2003
    Posts
    634

    Parallel Port Linux Security Robot Arm

    Hiya,

    Ive created a program do control a robotic arm ive build, (just out of junk hacked together pretty quick)

    To access the I/O port, the compiled program must be either executed by root
    or be suid root. This could be a potential system security hazard, rite?

    well is there a way to run this program in a user account? the thing is the arm is network controlled (or soon to be, maybe this afternoon ) and im a bit concerned about the security cos im a paranoid freak.

    Is the only problem here, if an attack can buffer overflow my program and create a root shell?

    I mean it doesnt really matter if someone does connect remotely and starts attacking me with the arm, im more concerned about the general secuirty implications

    cheers

    i2c

  2. #2
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    There are several options.

    1. Change to a non privileged user after calling ioperm

    The program which controls the robot arm has to run as root *until it has opened the parallel port*

    I assume you are using ioperm or something in order to enable direct I/O from that program. Obviously that's a privileged operation.

    However, after successfully calling ioperm, the program can change its user ID away from root (with setuid and/or seteuid) and become a normal user.

    The IO ports will still be able to be accessed for the duration of the process running.

    2. Split the program into several pieces which are mutually non-trusting.

    The other possibility is to write a small privileged server program which talks to the parallel port, and a second, less privileged (i.e. not root) program which does all the other tasks (including network IO)

    They could communicate through pipes, unix sockets, shared memory, or use a higher level API to communicate.

    ---

    These two approaches are not mutually exclusive, for maximum security you should probably do both.

    Slarty

  3. #3
    Senior Member
    Join Date
    Jul 2003
    Posts
    634
    yep, im using ioperm,

    interesting suggestions ill look into them, so the only way to do this is code a little more? There are no already made programs that I can use to achieve what i want?

    I think i probably will code the extra, as i think ill learn somemore anyway

    cheers

    i2c

  4. #4
    Antionline's Security Dude instronics's Avatar
    Join Date
    Dec 2002
    Posts
    901
    SUDO might be able to help you.

    Do a man sudo for details.

    Good luck.
    Ubuntu-: Means in African : "Im too dumb to use Slackware"

  5. #5
    rebmeM roineS enilnOitnA steve.milner's Avatar
    Join Date
    Jul 2003
    Posts
    1,018
    Would adding a non root user to the lp group help with this problem?

    Assuming things work like they do here:

    ls -l /dev/lp* shows owner root group lp

    if things are different make a group for lp & chgrp lp /dev/lp*

    Then add a non root user to the group lp and try running you code as that user.

    Just an idea,

    Steve



    Steve
    IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •