Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[Solved] Conky/fluxbox and /proc kernel restrictions
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Desktop Environments
View previous topic :: View next topic  
Author Message
abduct
Apprentice
Apprentice


Joined: 19 Mar 2015
Posts: 203

PostPosted: Sun Apr 05, 2015 10:23 pm    Post subject: [Solved] Conky/fluxbox and /proc kernel restrictions Reply with quote

Hi

I am running a hardened Gentoo kernel and I have enabled the /proc restrictions along with restriction users to only their own processes within /proc and I believe this is making conky misbehave within fluxbox.

The problem is that Conky is trying to access thermal and battery information from within /sys/class/thermal/thermal_zone1/temp and /sys/class/power_supply/BAT1/uevent and it is getting permission denied errors resulting in data I would like to display showing up empty or as zero values. When I try to set permissions on these files and sub directories there is still something limiting my access that I cannot control as if I issue a "ls -alh" command on the /sys/class/ directory as my regular user all permissions show up as question marks.

Right now I have fixed this by way of setting up a NOPASSWD sudo rule to allow fluxbox to start conky as root, in which it has access to all the needed files, but this is incredibly dangerous since conky config files can launch and execute bash commands from it's configuration files.

Is there a way to allow conky to access these files as a unprivileged user or some how configure sudo to only permit access to specific files as root for the conky process?

Thanks for your time.


Last edited by abduct on Wed Apr 15, 2015 7:22 pm; edited 1 time in total
Back to top
View user's profile Send private message
abduct
Apprentice
Apprentice


Joined: 19 Mar 2015
Posts: 203

PostPosted: Thu Apr 09, 2015 2:18 am    Post subject: Reply with quote

Does anyone have a solution or some hints to ways I could possibly fix this?

I was looking at the kernel and I noticed that you can enable a user group which would have unrestricted access to these files it seems. This would mean I can run conky as it's own user and add it to this special group.

The downside to this though is that most of it's user dependent features would break such as which processes are running and how much ram/cpu time they are taking up.

Adding my own user to this group would defeat the entire purpose of enabling it in the first place.
Back to top
View user's profile Send private message
abduct
Apprentice
Apprentice


Joined: 19 Mar 2015
Posts: 203

PostPosted: Wed Apr 15, 2015 7:22 pm    Post subject: Reply with quote

Solved this with a little restructuring of how I gather information. Rather than using the conky built-ins to fetch restricted data, I wrote bash scripts chmod 0100 root:root to fetch the desired information (temp, battery%, ect) from /sys/ and then setup a passwordless sudo only for those bash scripts.

This way no other user can modify the scripts to gain root privileges, conky is running as my own user again, and I can still get all my information.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Desktop Environments All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum