I have a small C++ app to turn on and off lights for a BeagleBone Black board that runs on Debian 9.2.
It does this by updating text files.
// Turn light on
fs.open("/sys/class/leds/beaglebone:green:usr0", std::fstream::out);
fs << "1";
fs.close();
If I run the program as a standard user it runs without error but none of the lights change.
If I run the program with sudo everything works fine and the lights work.
I’m guessing it’s because those files needs higher access.
I’m not super familiar with Linux permissions but is there a way to allow your program access to the files where a user could not?
Advertisement
Answer
Read carefully about setuid and about credentials(7) (and execve(2) which is how programs are started). But be careful about vulnerabilities.
Read Advanced Linux Programming (freely downloadable, but a bit old) or some newer book about Linux programming. Read intro(2) and syscalls(2).
You could also read Operating Systems: Three Easy Pieces (freely downloadable) to learn more about OSes in general.
You could make your executable setuid (with chmod u+s after the appropriate chown) and call with care setreuid(2) at appropriate places. That is how programs like sudo or su works (all of them are setuid). Sometimes you can just use group permissions (so setgid only).
But be cautious, a bug in such a program can open a huge security hole. So it is wise to keep setuid programs very small and have their code reviewed by other eyes. A possible approach is to code a very small setuid executable doing your weird things (e.g. only flashing the leds) and communicating (e.g. with pipe(7)-s or other forms of inter-process communication) with a larger and bigger ordinary program (e.g. providing a GUI).
Perhaps you can configure your system by creating a group led and giving group write permissions to /sys/class/leds/beaglebone:green:usr0 and use only setgid techniques.