-
September 3rd, 2003, 01:39 PM
#1
Parallel Port Linux Security Robot Arm
Hiya,
Ive created a program do control a robotic arm ive build, (just out of junk hacked together pretty quick)
To access the I/O port, the compiled program must be either executed by root
or be suid root. This could be a potential system security hazard, rite?
well is there a way to run this program in a user account? the thing is the arm is network controlled (or soon to be, maybe this afternoon ) and im a bit concerned about the security cos im a paranoid freak.
Is the only problem here, if an attack can buffer overflow my program and create a root shell?
I mean it doesnt really matter if someone does connect remotely and starts attacking me with the arm, im more concerned about the general secuirty implications
cheers
i2c
-
September 3rd, 2003, 02:06 PM
#2
There are several options.
1. Change to a non privileged user after calling ioperm
The program which controls the robot arm has to run as root *until it has opened the parallel port*
I assume you are using ioperm or something in order to enable direct I/O from that program. Obviously that's a privileged operation.
However, after successfully calling ioperm, the program can change its user ID away from root (with setuid and/or seteuid) and become a normal user.
The IO ports will still be able to be accessed for the duration of the process running.
2. Split the program into several pieces which are mutually non-trusting.
The other possibility is to write a small privileged server program which talks to the parallel port, and a second, less privileged (i.e. not root) program which does all the other tasks (including network IO)
They could communicate through pipes, unix sockets, shared memory, or use a higher level API to communicate.
---
These two approaches are not mutually exclusive, for maximum security you should probably do both.
Slarty
-
September 3rd, 2003, 02:35 PM
#3
yep, im using ioperm,
interesting suggestions ill look into them, so the only way to do this is code a little more? There are no already made programs that I can use to achieve what i want?
I think i probably will code the extra, as i think ill learn somemore anyway
cheers
i2c
-
September 3rd, 2003, 03:42 PM
#4
SUDO might be able to help you.
Do a man sudo for details.
Good luck.
Ubuntu-: Means in African : "Im too dumb to use Slackware"
-
September 3rd, 2003, 04:32 PM
#5
Would adding a non root user to the lp group help with this problem?
Assuming things work like they do here:
ls -l /dev/lp* shows owner root group lp
if things are different make a group for lp & chgrp lp /dev/lp*
Then add a non root user to the group lp and try running you code as that user.
Just an idea,
Steve
Steve
IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|