Anyone know how to access RasPi GPIO without sudo?

Question

I've finally gotten around to playing with RasPi GPIOs, using Gert van Loo and Dom's C code at the RasPi Wiki. It works fine, except that you have to run the executable as root or use sudo to access /dev/mem.

Does anyone here know how to access /dev/mem as a normal user?

rew · Accepted Answer

Unix has a "security model". As a normal users you can do stuff, but you should not be able to access other people's files on the same computer. And as a user you should not be able to cause the computer to stop working.

This means that as a rule, you should not be able to directly access hardware, like the physical memory of the computer. So that's why /dev/mem is protected so that normal users cannot access it.

Now "/dev/mem" allows you much, much more "mischief" than just changing a GPIO. So that's why /dev/mem must be protected against normal users.

If "allowable" things need to happen, the normal way to achieve this is to make a setuid program. The program GETS the priviledges needed once it is executed, the program then checks permissions (if neccessary) and then allows you to do the little thing you wanted.

As an example, the system cannot and should not allow you to insert a random packet onto the network. However the operating system does not provide a way to send "ICMP ECHO REQUEST" packets. There is a program that does that: "ping"! So the ping program gets privileges, uses that to send a carefully prepared ICMP ECHO REQUEST packet, and display the results. Although it uses the system mechanism for "sending arbitrary packets", it should restrict you to only send the innocent ICMP ECHO REQUEST packets. The ping program doesn't have any further permission checking (that I know of).

Now back to your problem...
If you make a little program that allows you to manipulate just the GPIO outputs, that won't allow you to cause all the other mischief you'd be able to make with "/dev/mem" access, then you can install that program with superuser permissions (setuid) and then you can use that program as a normal user.

I have written such a program. IIRC, it is contained in this package:

http://www.bitwizard.nl/software/gpio_spi_i2c_20120419.tgz

The program can be made setuid by doing:

sudo chown root <program name>

sudo chmod 4755 <program name>

The program I wrote has NOT been checked for security in this scenario.

The responsibility of "keeping the system safe" is moved from the kernel to the program with the elevated permissions. So if the "ping" program contained a bug that, say, would allow hackers to specify arbitrary network packets, then the protection of the system that normal users cannot send arbitrary network packets breaks down.

Former Member · Answer

Keith Chiem wrote: $ sudo chown pi /dev/mem That will not work. As well as any access controls imposed by the filesystem, you also need to have capability CAP_SYS_RAWIO to open the /dev/mem device. So you do need to be setuid root (or setcap). Note that you do not need any special permissions for any of the later steps, however. So you can start as root, open /dev/mem, drop privileges with set(res)uid, mmap just the registers you need, close the device to make it impossible to map any more, and then continue with the rest of your code safely.

Former Member · Answer

Does anyone here know how to access /dev/mem as a normal user? Don't do that. There's a device driver for the gpios that can be made to expose them under /sys/class/gpio. Access is comparitively slow, but at least it's safer than messing with /dev/mem You can find documentation for 'gpiolib' towards the end of Documentation/gpio.txt in any recent linux kernel source tree. There you'll find out how to export particular gpios to userspace. Note that you likely still need to chown some files under /sys/class/gpio to allow user access after exporting them as root. Roger is quite right on the security model - consider that gpio's will often be connected to something that sensitive and you should understand why you normally need root to access them. Here's a trivial example in bash echo 55 > /sys/class/gpio/export echo out > /sys/class/gpio/gpio55/direction echo 1 > /sys/class/gpio/gpio55/value however note that 55 isn't a valid value unless you've added a gpio expander like the mcp23008 I'm using, and recompiled the kernel appropriately.