GIVERTCAP HOME PAGE

GIVERTCAP is a small Linux application that is used to give other application real-time capabilities. With the aid of givertcap you can run real-time applications (audio and video -processing apps for example) with high priority without running the application as root. Your application does get a collection capabilities that allow it to run at very high priority.

Givertcap was created to overcome the lack of capability support in Linux file systems. Once the Linux file systems start to have the necessary functions themselves, this apps becomes unnecessary.

To use this app you need to compile it and make it setuid-root. After this other applications can use this mini-app to gain capabilities that are necessary for real-time operation.

This page has information on how to get the software, how to to install/uninstall it and how to use it in your own software.

WARNING: THIS APPLICATION DOES MAKE YOUR SYSTEM MORE INSECURE !!

While nobody should be able to get root-access to anything with givertcap, setuid apps are ALWAYS a potential security risk -- no matter how small, compact or well-debugged they are.

LICENSE

Givertcap is licensed under the GNU Public License version 2.

DOWNLOAD

Download/view the source "givertcap.C" (3 kb)

REQUIREMENTS

To be able to givertcap you need to have the following things at hand:
  1. Patched Linux kernel
  2. The "libcap" -library
PATCHING THE KERNEL

The kernel is patched by changing two lines from header "linux/capability.h": 

#define CAP_INIT_EFF_SET    ( ~0 )
#define CAP_INIT_INH_SET    ( ~0 )
I used to recemmend the following, but it seems that it won't work with some new compiler/kernel combinations: 
#define CAP_INIT_EFF_SET    { ~0 }
#define CAP_INIT_INH_SET    { ~0 }
(For further information see chapter 10 of the capfaq-0.2 document ftp.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.4/capfaq-0.2.txt)

INSTALLING LIBCAP

ftp.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.4/). You may also find precompiled packages for your Linux distribution in some other places like www.rpmfind.net.

Here is a ready-made search from rpmfind.net for you. And this is a Google search for you.

EXAMPLE INSTALLATION

Givertcap does not need any installation scripts -- the following lines of code should do the job: 
   g++ -Wall -O2 givertcap.C -o givertcap -lcap
   cp givertcap /usr/local/bin/
   chown root /usr/local/bin/givertcap;
   chgrp users /usr/local/bin/givertcap;
   chmod 4755 /usr/local/bin/givertcap;

EXAMPLE UNINSTALLATION

   rm /usr/local/bin/givertcap

TO ENHANCE SECURITY

You may want to limit the number of people who can access this application. Probably the easiest way to do this is to create a new group to your machine set the permissions of givertcap to allow only those in the group to run it. EXAMPLE: 
   1) Create group "rtusers"
   2) Run the following commands:

   chown root /usr/local/bin/givertcap;
   chgrp rtusers /usr/local/bin/givertcap;
   chmod 4750 /usr/local/bin/givertcap;

HOW TO USE IT IN YOUR SOFTWARE

The correct way to use givertcap is to make your real-time critical applications call givertcap as they are launched.

The following code is taken directly from Mustajuuri. I encourage the usage of environment variable "GIVERTCAP" to be used so that users can override the default path if necessary. 
/** The path to the application that gives us the necessary
    capabilities. The "capability application" should be able to pass
    this application the necessary capabilities without any command
    line arguments.

    If this variable is null then the system tries to get the path of
    the application from environment variable "GIVERTCAP". If the
    variable is not defined, then default path is used:
    "/usr/local/bin/givertcap". 

    This variable is used in MJ_RootPowers::getCapabilities.
*/
const char *MJ_RootPowers::m_capApplication = 0;

/** Get real-time capabilities to this process. This method is only
    useful on Linux. This method is also defined on other systems but
    it does nothing on them.

    @see MJ_RootPowers::m_capApplication.
*/
void MJ_RootPowers::getCapabilities()
{
#ifdef __linux__
  const char * app = m_capApplication;

  if(!app) app = getenv("GIVERTCAP");

  if(!app) app = "/usr/local/bin/givertcap";

  system(app);
#endif // __linux__
}
Probably the easiest way to get going is to cut-paste the code above to your application and do the necessary modifications.

AUTHOR

This wonderful display of pure programming skill was made by Tommi Ilmonen (Tommi Ilmonen@hut.fi).

BACKGROUND

This app was created to make it easier to run my audio app Mustajuuri with real-time capabilities. It should not be too difficult to add support for givertcap to any application.

It seems some other projects are using it as well, for example MusE.

Last modified: Fri Oct 26 10:30:55 EEST 2001