Give others users than "root" access to GPIO (or commands)

Give others users than "root" access to GPIO (or commands)

[Arno Steffens]

I have to add a user other than root to start a program which operates with i2c, spi, gpio.
For this I added an init-script /etc/rc5.d to make it /dev/* r/w for "others".
That works for i2c and spi but not for GPIO. As most of the files the user has to access will only created after the exporting the GPIOs (more or less doing echo xxx > /sys/class/gpio/export).
But this new created /sys/class/gpio/xxx is not writable by user.

Maybe I am doing it completely wrong, but how can I achieve this to become possible?
I checked the mega-manual, but there is not much mentioned about groups (27.36. extrausers.bbclass).
Best regards
Arno

Maybe I also have to give this user the permission to reboot, which is right now only possible for root

Re: Give others users than "root" access to GPIO (or commands)

[ChenQi]

On 05/29/2018 06:41 PM, Arno Steffens wrote:
> I have to add a user other than root to start a program which operates with i2c, spi, gpio.
> For this I added an init-script /etc/rc5.d to make it /dev/* r/w for "others".
> That works for i2c and spi but not for GPIO. As most of the files the user has to access will only created after the exporting the GPIOs (more or less doing echo xxx > /sys/class/gpio/export).
> But this new created /sys/class/gpio/xxx is not writable by user.
>
> Maybe I am doing it completely wrong, but how can I achieve this to become possible?
> I checked the mega-manual, but there is not much mentioned about groups (27.36. extrausers.bbclass).
> Best regards
> Arno
>
> Maybe I also have to give this user the permission to reboot, which is right now only possible for root


Not sure about your environment. But if you want normal user to do some 
operation requiring root privilege, consider using a SETUID program.

1) Create a progrem to do the actual work that require root privilege.
2)  If your only want your program to be run by some specific user, do 
the user checking in the program.
3) Install your program to be SETUID. `chmod +s xxx'

You can check dbus-daemon-launch-helper in dbus for a reference.

Best Regards,
Chen Qi

Re: Give others users than "root" access to GPIO (or commands)

[Richard Purdie]

On Tue, 2018-05-29 at 12:41 +0200, Arno Steffens wrote:
> I have to add a user other than root to start a program which
> operates with i2c, spi, gpio.
> For this I added an init-script /etc/rc5.d to make it /dev/* r/w for
> "others".
> That works for i2c and spi but not for GPIO. As most of the files the
> user has to access will only created after the exporting the GPIOs
> (more or less doing echo xxx > /sys/class/gpio/export).
> But this new created /sys/class/gpio/xxx is not writable by user.
> 
> Maybe I am doing it completely wrong, but how can I achieve this to
> become possible?
> I checked the mega-manual, but there is not much mentioned about
> groups (27.36. extrausers.bbclass).
> Best regards
> Arno
> 
> Maybe I also have to give this user the permission to reboot, which
> is right now only possible for root

You have one reply/potential solution. Another option is to set udev
rules (or the equivalent in systemd) such that when the device files
are created they get the permissions/ownership you need.

Cheers,

Richard

Re: Give others users than "root" access to GPIO (or commands)

[Arno Steffens]

> Gesendet: Mittwoch, 30. Mai 2018 um 08:03 Uhr
> Von: ChenQi <Qi.Chen@windriver.com>
> An: "Arno Steffens" <star@gmx.li>, "pokyyoctoproject.org" <poky@yoctoproject.org>
> Betreff: Re: [poky] Give others users than "root" access to GPIO (or commands)
>
> On 05/29/2018 06:41 PM, Arno Steffens wrote:
> > I have to add a user other than root to start a program which operates with i2c, spi, gpio.
> > For this I added an init-script /etc/rc5.d to make it /dev/* r/w for "others".
> > That works for i2c and spi but not for GPIO. As most of the files the user has to access will only created after the exporting the GPIOs (more or less doing echo xxx > /sys/class/gpio/export).
> > But this new created /sys/class/gpio/xxx is not writable by user.
> >
> > Maybe I am doing it completely wrong, but how can I achieve this to become possible?
> > I checked the mega-manual, but there is not much mentioned about groups (27.36. extrausers.bbclass).
> > Best regards
> > Arno
> >
> > Maybe I also have to give this user the permission to reboot, which is right now only possible for root
> 
> 
> Not sure about your environment. But if you want normal user to do some 
> operation requiring root privilege, consider using a SETUID program.
> 
> 1) Create a progrem to do the actual work that require root privilege.
> 2)  If your only want your program to be run by some specific user, do 
> the user checking in the program.
> 3) Install your program to be SETUID. `chmod +s xxx'
> 
> You can check dbus-daemon-launch-helper in dbus for a reference.
> 
> Best Regards,
> Chen Qi

Thanks Chen,
sounds easy but I get to my surprise a problem with a shared library (cannot open shared object file: No such file or directory) - althought the LD_LIBRARY_PATH is set (/opt/lib) and the file available?
Best regards
Arno

Re: Give others users than "root" access to GPIO (or commands)

[Richard Purdie]

On Wed, 2018-05-30 at 12:01 +0200, Arno Steffens wrote:
> Thanks Chen,
> sounds easy but I get to my surprise a problem with a shared library
> (cannot open shared object file: No such file or directory) -
> althought the LD_LIBRARY_PATH is set (/opt/lib) and the file
> available?

setuid will clear LD_LIBRARY_PATH and other environmental variables for
security reasons. Try adding an RPATH to the binary directly using
chrpath or patchelf?

Cheers,

Richard

Re: Give others users than "root" access to GPIO (or commands)

[Arno Steffens]

> Gesendet: Mittwoch, 30. Mai 2018 um 09:21 Uhr
> Von: "Richard Purdie" <richard.purdie@linuxfoundation.org>
> An: "Arno Steffens" <star@gmx.li>, "pokyyoctoproject.org" <poky@yoctoproject.org>
> Betreff: Re: [poky] Give others users than "root" access to GPIO (or commands)
>
> On Tue, 2018-05-29 at 12:41 +0200, Arno Steffens wrote:
> > I have to add a user other than root to start a program which
> > operates with i2c, spi, gpio.
> > For this I added an init-script /etc/rc5.d to make it /dev/* r/w for
> > "others".
> > That works for i2c and spi but not for GPIO. As most of the files the
> > user has to access will only created after the exporting the GPIOs
> > (more or less doing echo xxx > /sys/class/gpio/export).
> > But this new created /sys/class/gpio/xxx is not writable by user.
> > 
> > Maybe I am doing it completely wrong, but how can I achieve this to
> > become possible?
> > I checked the mega-manual, but there is not much mentioned about
> > groups (27.36. extrausers.bbclass).
> > Best regards
> > Arno
> > 
> > Maybe I also have to give this user the permission to reboot, which
> > is right now only possible for root
> 
> You have one reply/potential solution. Another option is to set udev
> rules (or the equivalent in systemd) such that when the device files
> are created they get the permissions/ownership you need.
> 
> Cheers,
> 
> Richard

Richard, what is regarding /dev I agree udev should be the way to go. Read about that but my first hours of experiments hasn't been successful. Have to try harder ...

But howto make commands like reboot, mount or shutdown to be executabel by others:
The setuid bit is already set for /sbin/shutdown.sysvinit which is linked to shutdown but is isn't working for other users than root.

Regards
Arno

Re: Give others users than "root" access to GPIO (or commands)

[star]

> Gesendet: Mittwoch, 30. Mai 2018 um 12:01 Uhr
> Von: "Arno Steffens" <star@gmx.li>
> An: ChenQi <Qi.Chen@windriver.com>
> Cc: "pokyyoctoproject.org" <poky@yoctoproject.org>
> Betreff: Re: [poky] Give others users than "root" access to GPIO (or commands)
>
> 
> 
> > Gesendet: Mittwoch, 30. Mai 2018 um 08:03 Uhr
> > Von: ChenQi <Qi.Chen@windriver.com>
> > An: "Arno Steffens" <star@gmx.li>, "pokyyoctoproject.org" <poky@yoctoproject.org>
> > Betreff: Re: [poky] Give others users than "root" access to GPIO (or commands)
> >
> > On 05/29/2018 06:41 PM, Arno Steffens wrote:
> > > I have to add a user other than root to start a program which operates with i2c, spi, gpio.
> > > For this I added an init-script /etc/rc5.d to make it /dev/* r/w for "others".
> > > That works for i2c and spi but not for GPIO. As most of the files the user has to access will only created after the exporting the GPIOs (more or less doing echo xxx > /sys/class/gpio/export).
> > > But this new created /sys/class/gpio/xxx is not writable by user.
> > >
> > > Maybe I am doing it completely wrong, but how can I achieve this to become possible?
> > > I checked the mega-manual, but there is not much mentioned about groups (27.36. extrausers.bbclass).
> > > Best regards
> > > Arno
> > >
> > > Maybe I also have to give this user the permission to reboot, which is right now only possible for root
> > 
> > 
> > Not sure about your environment. But if you want normal user to do some 
> > operation requiring root privilege, consider using a SETUID program.
> > 
> > 1) Create a progrem to do the actual work that require root privilege.
> > 2)  If your only want your program to be run by some specific user, do 
> > the user checking in the program.
> > 3) Install your program to be SETUID. `chmod +s xxx'
> > 
> > You can check dbus-daemon-launch-helper in dbus for a reference.
> > 
> > Best Regards,
> > Chen Qi
> 
> Thanks Chen,
> sounds easy but I get to my surprise a problem with a shared library (cannot open shared object file: No such file or directory) - althought the LD_LIBRARY_PATH is set (/opt/lib) and the file available?
> Best regards
> Arno
> 

Ok, got it.
Althoug ldd xxx shows my lib I couldn't use it. Adding this path /opt/lib to ld.so.conf solved this.

Re: Give others users than "root" access to GPIO (or commands)

[Arno Steffens]

> Gesendet: Mittwoch, 30. Mai 2018 um 12:18 Uhr
> Von: "Richard Purdie" <richard.purdie@linuxfoundation.org>
> An: "Arno Steffens" <star@gmx.li>, ChenQi <Qi.Chen@windriver.com>
> Cc: "pokyyoctoproject.org" <poky@yoctoproject.org>
> Betreff: Re: [poky] Give others users than "root" access to GPIO (or commands)
>
> On Wed, 2018-05-30 at 12:01 +0200, Arno Steffens wrote:
> > Thanks Chen,
> > sounds easy but I get to my surprise a problem with a shared library
> > (cannot open shared object file: No such file or directory) -
> > althought the LD_LIBRARY_PATH is set (/opt/lib) and the file
> > available?
> 
> setuid will clear LD_LIBRARY_PATH and other environmental variables for
> security reasons. Try adding an RPATH to the binary directly using
> chrpath or patchelf?
> 
> Cheers,
> 
> Richard

In case others will be search for that too:

I tried both ways. For solution I (setuid) I could solve the missing lib error with:
add via glibc_%.bbappend:
do_install_append () {
  echo "/opt/lib" >> ${D}${sysconfdir}/ld.so.conf 
}
(although compiler option -rpath should work too).

With udev rules I created:
KERNEL=="i2c-[0-7]", MODE="0666"
KERNEL=="spi*", MODE="0666"
KERNEL=="gpiochip0", MODE="0666", PROGRAM="/bin/sh -c 'chmod -R 0777 /sys/class/gpio'"

That works find for i2c and spi, but not for GPIO.
After exporting the gpio, the direction and value keep just writeable for the owner.
So even adding GPIO to a group will now help. The only option I found was to execute a longer script exporting all pins and than change permissions. Not really sophisticated.

Thanks
Arno