Hi,
Please Cc me when you want an answer from me (I am not subscribed to this mailing list). I just found this mail by pure luck.
On Saturday 28 February 2015 21:04:19 MK wrote:
Thanks for the patch. Setup seems to be still working. How can I verify that privileges really dropped?
The privileges of a process can be found in
$ cat /proc/`pidof alfred`/status
The active capabilities are CapEff. The capabilities the process can request can be found in CapPrm.
There are further questions:
Is _read_ access for the alfred user (resp. group) sufficient in /sys/kernel/debug/batman_adv/* ? Or is write access on the socket file in this directory mandatory for full functionality?
The process needs to access the path and read the files. For example my system allows read of this files by default BUT disallows non-root access to /sys/kernel/debug
$ ls -ltrd /sys/kernel/debug drwx------ 27 root root 0 Mar 2 18:58 /sys/kernel/debug
I would have to allow other users o+rx access to this path before being able to access the batman-adv files:
$ cat /sys/kernel/debug/batman_adv/bat0/originators cat: /sys/kernel/debug/batman_adv/bat0/originators: Permission denied $ sudo chmod o+rx /sys/kernel/debug $ cat /sys/kernel/debug/batman_adv/bat0/originators [B.A.T.M.A.N. adv 2014.3.0, MainIF/MAC: eth0/XX:XX:XX:XX:XX:XX (bat0 BATMAN_IV)] Originator last-seen (#/255) Nexthop [outgoingIF]: Potential nexthops ... No batman nodes in range ...
!!!! WARNING !!!! I don't recommend to grant all users access to /sys/kernel/debug.
Kind regards, Sven