5.5.2. - Accessing Protected I/O Ports On PC Platforms Running linux
In order to enable spec's built-in support for certain instrument control and data acquisition devices, spec needs access to resources that are generally off limits to normal users. For some hardware, spec needs access to /dev/mem to map PCI/PCIe memory space to the spec process ("dac override" capability, which overrides discretionary access control, that is, bypasses file access permissions). On some recent Linux platforms, PCI/PCIe cards used by spec are disabled on boot by the Linux kernel, and spec needs escalated privileges to enable the cards ("sys admin" capability). If udev rules are not in place to set permissions for USB devices supported by spec, spec will use escalated permissions to open the device nodes (also "dac override" capability). For some older PC cards, spec needs direct access to I/O ports, which it gains using the iopl() system call ("sys rawio" capability).
Up until spec release 6.05.01, access was achieved by making spec a set-user-id root executable. With current releases, the Linux capabilities facility is used. If the Linux platform lacks the setcap command, spec will use set-user-id root mode, as before. The command to set capabilities is the following:
setcap "cap_dac_override=ep cap_sys_rawio=ep cap_sys_admin=ep" specThe command to make spec set-user-id root is:
chown root spec && chmod u+s specThe spec Install script will automatically execute one or the other of the above commands on Linux platforms if the script is run by the root user.
To protect the system whether using setcap or set-user-id mode, spec turns off all special privileges immediately on program start up and only enables the capabilities around the few lines of code used to gain access to the otherwise unavailable resources.