Ohad Levy wrote:
for embedded platform development, its required to create devices
which are hardware specific (i.e. our own modules).
any way to reduce the risk?
Thanks
Are these modules loaded into the running kernel, or are they just being
created so they can be saved to the image for later extraction on the
actual platform.
If the former, I don't know the details, but it should be possible to
construct the modules such that when they are loaded udev will
automatically create the device files for them. Then give them access to
insmod and rmmod (via sudo) only for those specific modules.
If it's the later, then there is no need to give them root permission,
of any kind, at all. Use fakeroot (or my very own fakeroot-ng) to create
something that appears to the process that created them to be device
files. Then run tar/mkcramfs/mksquashfs/whatever from within the same
fake root process, and it will create the image with the right permissions.
Last, you can give them sudo permissions to create only the specific
device files needed. This is only recommended for the first case, though.
Sample session with fakeroot-ng:
[EMAIL PROTECTED]:~$ mkdir /tmp/dir
[EMAIL PROTECTED]:~$ cd /tmp/dir
[EMAIL PROTECTED]:/tmp/dir$ fakeroot-ng -pstate mkdir dev
[EMAIL PROTECTED]:/tmp/dir$ fakeroot-ng -pstate mknod dev/sda b 8 0
Notice how the "mknod" call succeeded. Did it create a block device?
[EMAIL PROTECTED]:/tmp/dir$ ls -la dev
total 8
drwxr-xr-x 2 sun sun 4096 May 5 14:51 .
drwxr-xr-x 3 sun sun 4096 May 5 14:51 ..
-rw-r--r-- 1 sun sun 0 May 5 14:51 sda
No. sda is just a regular file. However, fakeroot will tell you it did:
[EMAIL PROTECTED]:/tmp/dir$ fakeroot-ng -pstate ls -la dev
total 8
drwxr-xr-x 2 root root 4096 May 5 14:51 .
drwxr-xr-x 3 sun sun 4096 May 5 14:51 ..
brw-r--r-- 1 root root 8, 0 May 5 14:51 sda
Suddenly it's owned by root, and is a block device, just like it's
supposed to be. Let's tar the directory from within fakeroot-ng:
[EMAIL PROTECTED]:/tmp/dir$ fakeroot-ng -pstate tar cvzf dev.tgz dev
dev/
dev/sda
Now, even without fakeroot-ng, the tar file contains a block device
owned by root:
[EMAIL PROTECTED]:/tmp/dir$ tar tvzf dev.tgz
drwxr-xr-x root/root 0 2008-05-05 14:51 dev/
brw-r--r-- root/root 8,0 2008-05-05 14:51 dev/sda
If we examine the directory we will also see the "state" file, where
fakeroot-ng stored the data between invocations so that it can be
consistent in how it lies:
[EMAIL PROTECTED]:/tmp/dir$ ls -la
total 160
drwxr-xr-x 3 sun sun 4096 May 5 14:52 .
drwxrwxrwt 14 root root 143360 May 5 14:51 ..
drwxr-xr-x 2 sun sun 4096 May 5 14:51 dev
-rw-r--r-- 1 sun sun 143 May 5 14:52 dev.tgz
-rw-r--r-- 1 sun sun 150 May 5 14:52 state
Obviously, nothing is owned by root.
You can get fakeroot from http://fakeroot.alioth.debian.org/, and
fakeroot-ng from http://sourceforge.net/projects/fakerootng. Fakeroot is
automatically available in any version of Debian that was released for
the past, oh, at least 10 years. Fakeroot-ng is available in Sid and Lenny.
Shachar
