AM62 Q 1GB WB IT V1.0A
Mallow Board V1.1A
TorizonCore 6.7.0 Build 23
I am working on a Python project that has a user interface. The device will be shipped around the world and many installations will be without any internet connection throughout their life. Due to this, we allow the end user to modify their Date/Time/Timezone settings directly through the user interface.
I am aware of Timedatectl and have no issue using this to modify the time information, however I want to make sure I am not doing something I shouldn’t be in terms of security. To update the Timedatectl currently I need to use sudo, which means I would need to provide a username/password through my Python script, if I’m not mistaken. This seems like a potential security risk.
Is that the only way to do that? Is there any way to set it up so I don’t have to hold a username/password in my Python script to change the date and time?
Hi, I’m the Toradex AI Assistant. I’m in early beta, and I would appreciate your feedback.
The Toradex Support team will follow up with you shortly!
Did you like my answer?
Hand-shake,
To address your concern about modifying date, time, and timezone settings without embedding sudo credentials in your Python script, consider the following approach which enhances security and maintains the integrity of your application:
-
Create a dedicated system service: Write a small, dedicated service that runs with the necessary permissions to execute timedatectl commands. Your Python application can communicate with this service through inter-process communication (IPC) mechanisms such as D-Bus, sockets, or even REST APIs if you prefer a web service approach. This service acts as a middleman, receiving requests from your application and executing the timedatectl commands on its behalf.
-
Use Polkit (PolicyKit): Polkit allows for more granular control over system-wide privileges. You can write a Polkit policy that specifically allows changing the system time without requiring a password for users in a certain group or for specific commands. Your Python application can then invoke timedatectl commands without needing sudo, provided the user under which the application runs is authorized by your Polkit policy.
-
Set up sudoers file: If the above methods seem too complex or are not suitable for your project, a simpler but less recommended approach is to configure the sudoers file to allow passwordless execution of the timedatectl command for a specific user or group. This method involves editing the /etc/sudoers file (preferably using visudo to prevent syntax errors) to include a line that specifies your application’s user can run timedatectl as root without a password. However, this method should be used cautiously as it can potentially introduce security risks if not tightly controlled.
Each of these methods has its advantages and considerations. The first method provides a clean separation of concerns and encapsulates the functionality within a dedicated service, offering a more secure and modular approach. The second method leverages existing Linux security infrastructure to finely control permissions. The third method is the simplest to implement but requires careful management to avoid security pitfalls.
Choose the method that best fits your application’s architecture, security requirements, and your team’s expertise.
Best regards, Toradex AI Assistant
Please, also check if these links can help you solve your problem:
Real-Time Clock / RTC (Linux) | Toradex Developer Center.
While the suggested solutions above seem to be valid, one component of this that is not covered is that of production programming. All of the above solutions would require 1 off work for each specific board if I am not mistaken.
I am new to Torizon and am used to a custom Yocto build, which I believe isn’t 100% necessary for my application when using Torizon. I have cursory awareness of TorizonCore Builder, and it seems like I need to learn more about that tool to accomplish this task from a production programming standpoint.
I’ll consider the above the answer as a solution for now until I gain more familiarity with production programming on Torizon.
Time in general is one of those things in Linux which generally require some kind of higher permissions in order to manipulate. Either that or you need higher permissions to change the default policies in order to manipulate time with lower permissions. Either way it’s not something Linux systems let you do so casually.
This is for good reason though since malicious manipulation of time on the system can result in many strange issues or consequences. Though I believe the ToradexAI has covered this fairly well, I just wanted to elaborate.
While the suggested solutions above seem to be valid, one component of this that is not covered is that of production programming. All of the above solutions would require 1 off work for each specific board if I am not mistaken.
Most of the suggestions from the ToradexAI should be doable using TorizonCore Builder. Once your customization are in place TorizonCore Builder can create a custom image that can then be flashed in production using Toradex Easy Installer. For a high level overview of this process, the following article is a good starting point: Production Programming in Torizon | Toradex Developer Center
Best Regards,
Jeremias
