0

how can I supply negative value to nice() and run without error even if I am not the superuser can I do 

system("su"); 
nice(-1);

it is asking for password which I do not want?

ctrl-alt-delor
  • 27,993
Sandeep
  • 1
  • In that C code, nice will be run on the current process, after system returns. – ctrl-alt-delor Jul 18 '16 at 09:49
  • 2
    Please [edit] your question and explain what you are doing. That looks like you're writing some kind of program. If so, you need to tell us that and mention what language you are writing in and what your final objective is. Are you trying to renice the running process itself? Another process? – terdon Jul 18 '16 at 09:50

3 Answers3

1

If you call su then you will be asked for password, unless you are root.

To be able to re-nice with negative values, the process will need:

Community
  • 1
ctrl-alt-delor
  • 27,993
0

You can't. That is the point of the system. No ordinary user may increase the priority of his tasks.

guntbert
  • 1,637
0

No way for a process to elevate its own privileges.

There is absolutely no way for an process to elevate its privileges. If it could then it would already have them.

If a process has real or saved uid elevated, then it can copy this uid into the effective uid; If it has permitted capabilities then it can copy these to the effective set, but it must have these privileges to start with. You can not magic them out of fin air (What good is a lock that you can create a key for at will).

So how do you elevate privileges in Unix (including Gnu/Linux)?

(be careful with this, for experts only)

There are 2 ways (traditionally one, but they are both similar, and the original may one day disappear). For both it happens when you call exec. (OK I lied above, because after exec is run we are in same process, with changed privileges, but running new code).

  • set the setuid, and/or setuid bit of an executable file: When the file is execed the userid and/or the group id will change to that of the file (possibly root), (this does not word for scripted languages on most Unixes).
  • set capability bits of an executable file: When the file is execed the process will gain the capabilities set in the file. This is now the recommender method.
    • If you are converting a seduid root, program to capabilities, then you set the permitted capabilities as needed, and set the effective bit (this will copy all permitted into effective).
    • As you are writing a new program, it can be capabilities aware, so best not to set the effective bit, you program can copy and clear the effective capabilities as needed (this reduces the impact of a bug, including exploits).

Example:

//renice.cc
#include <unistd.h>
#include <sys/capability.h>

class Renice {
  cap_t original_cap_state;
  cap_t can_nice_cap_state;
  cap_value_t cap_list[1];

public:
    Renice() {
    original_cap_state = cap_get_proc();
    if ( original_cap_state == NULL)
      /* handle error */;
    can_nice_cap_state = cap_get_proc();
    if ( can_nice_cap_state == NULL)
      /* handle error */;
    cap_list[0] = CAP_SYS_NICE;
    if (cap_set_flag(can_nice_cap_state, CAP_EFFECTIVE, 1, cap_list, CAP_SET) == -1)
      /* handle error */;
  }

  ~Renice() {
    if (cap_free(original_cap_state) == -1 )
      /* handle error */;
  }

  void new_value(int v) {
    if (cap_set_proc(can_nice_cap_state) == -1)
      /* handle error */;

    nice (v);
    /* handle error */

    if (cap_set_proc(original_cap_state) == -1)
      /* handle error */;
  }
};

int main () {
  Renice renice;
  renice.new_value(-1);
  nice (-2); //won't work, capability no longer set
  sleep (30);
}
  • compile with: g++ -lcap renice.cc
  • set capabilities with: sudo setcap CAP_SYS_NICE+p a.out
  • run with: ./a.out
ctrl-alt-delor
  • 27,993