Parallel Port Linux Security Robot Arm

Printable View

September 3rd, 2003, 01:39 PM
i2c

Parallel Port Linux Security Robot Arm

Hiya,

Ive created a program do control a robotic arm ive build, (just out of junk hacked together pretty quick)

To access the I/O port, the compiled program must be either executed by root
or be suid root. This could be a potential system security hazard, rite?

well is there a way to run this program in a user account? the thing is the arm is network controlled (or soon to be, maybe this afternoon :D ) and im a bit concerned about the security cos im a paranoid freak.

Is the only problem here, if an attack can buffer overflow my program and create a root shell?

I mean it doesnt really matter if someone does connect remotely and starts attacking me with the arm, im more concerned about the general secuirty implications

cheers

i2c
September 3rd, 2003, 02:06 PM
slarty

There are several options.

1. Change to a non privileged user after calling ioperm

The program which controls the robot arm has to run as root *until it has opened the parallel port*

I assume you are using ioperm or something in order to enable direct I/O from that program. Obviously that's a privileged operation.

However, after successfully calling ioperm, the program can change its user ID away from root (with setuid and/or seteuid) and become a normal user.

The IO ports will still be able to be accessed for the duration of the process running.

2. Split the program into several pieces which are mutually non-trusting.

The other possibility is to write a small privileged server program which talks to the parallel port, and a second, less privileged (i.e. not root) program which does all the other tasks (including network IO)

They could communicate through pipes, unix sockets, shared memory, or use a higher level API to communicate.

---

These two approaches are not mutually exclusive, for maximum security you should probably do both.

Slarty
September 3rd, 2003, 02:35 PM
i2c

yep, im using ioperm,

interesting suggestions ill look into them, so the only way to do this is code a little more? There are no already made programs that I can use to achieve what i want?

I think i probably will code the extra, as i think ill learn somemore anyway

cheers

i2c
September 3rd, 2003, 03:42 PM
instronics

SUDO might be able to help you.

Do a man sudo for details.

Good luck.
September 3rd, 2003, 04:32 PM
steve.milner

Would adding a non root user to the lp group help with this problem?

Assuming things work like they do here:

ls -l /dev/lp* shows owner root group lp

if things are different make a group for lp & chgrp lp /dev/lp*

Then add a non root user to the group lp and try running you code as that user.

Just an idea,

Steve

Steve