1
I have a system running hardened Gentoo and I have installed Xorg, Fluxbox, and Conky together to create a minimal window manager desktop. Within this system I have 2 main users, root and my normal running user which I log into.
The problem is that Conky is trying to access thermal and battery information from within /sys/class/thermal/thermal_zone1/temp and /sys/class/power_supply/BAT1/uevent and it is getting permission denied errors resulting in data I would like to display showing up empty or as zero values. These are the permission values on both files
File: '/sys/class/thermal/thermal_zone0/temp'
Size: 4096 Blocks: 0 IO Block: 4096 regular file
Device: 12h/18d Inode: 3719 Links: 1
Access: (0444/-r--r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2015-03-14 20:14:54.143855495 +0000
Modify: 2015-03-14 20:14:54.143855495 +0000
Change: 2015-03-14 20:14:54.143855495 +0000
Birth: -
File: '/sys/class/power_supply/BAT1/uevent'
Size: 4096 Blocks: 0 IO Block: 4096 regular file
Device: 12h/18d Inode: 3907 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2015-03-14 19:23:15.227055847 +0000
Modify: 2015-03-14 19:23:15.227055847 +0000
Change: 2015-03-14 19:23:15.227055847 +0000
Birth: -
Is there a way to allow Conky to access specific privileged files without giving the entire process root access via sudo? I could setup a sudoers rule to allow it to run with NOPASSWD, but giving Conky full root permissions is not what I would like to do.
Preferably I would only like to give the process read access to these files. Could I simply make these files world readable without negative side effects?
Edit: I found the root of the problem. It is not the files them self that are the problem, since they are already world readable, it is their containing directory which is only drwx by user. Will there be any negative side effect if I allow the /sys/class/thermal and /sys/class/power_supply as well as the /sys/class directories to become world readable?
Edit2: Turns out one of the hardening features prevents normal users from accessing these files without being root. The reason I came to this conclusion is when I run ls -alh on the directories as my normal user, all the rwx flags show up as question marks even after I set them to 0704 (drwx---r--). My only option now unfortunately is to run Conky as root, via a NOPASSWD sudo rule so Fluxbox may start it without a hassle.
user428531
Posted 2015-03-15T03:19:20.953
Reputation: 11
Keep in mind that
sudoersallows a very fine-grained configuration. You should limit to whatever script/binary needs the access (or a wrapper thereof). Capabilities may be another route, but I didn't find any that would address your immediate need (also the interpreter needs to have the capability, not the script). Last but not least, gave you considered running a CRON job or so that would set an ACL on these pdeudo-files, assuming it's allowed by the kernel. This way you can have a tightly-knit access control without giving out root viasudoers. – 0xC0000022L – 2015-03-15T20:36:33.603@0xC0000022L Is there documentation or is it possible for sudo to limit a process ran with sudo in a way that it can only access specific files barring it from running applications, or having permission for anything it is not specifically allowed to read? If so this would fix my problem instantly. – user428531 – 2015-03-16T04:03:25.110