linuxreal-time

How to set CAP_SYS_NICE capability to a Linux user?


My program is using the Linux system call setpriority() to change the priorities of the threads it creates. It needs to set negative priorities (-10) but, as mentioned on the documentation, this fails when run as a normal user.

The user needs the CAP_SYS_NICE capability to be able to set the priorities as he wants, but I have no idea how to give such capability to the user.

So my question: how to set CAP_SYS_NICE capability to a Linux user?


Solution

  • Jan Hudec is right that a process can't just give itself a capability, and a setuid wrapper is the obvious way get the capability. Also, keep in mind that you'll need to prctl(PR_SET_KEEPCAPS, ...) when you drop root. (See the prctl man page for details.) Otherwise, you'll drop the capability when you transition to your non-root real user id.

    If you really just want to launch user sessions with a different allowed nice level, you might see the pam_limits and limits.conf man pages, as the pam_limits module allows you to change the hard nice limit. It could be a line like:

    yourspecialusername hard nice -10