Configuring Meinberg PCI Cards or USB Devices Without Admin Rights

(Hier ist eine deutsche Version dieses Textes)

Unprivileged users typically do not have the permission to change the computer's system time, and they should not be able to make settings on devices that could indirectly do this.

When synchronizing computers using Meinberg PCI cards or USB devices, extended privileges (administrator or “root” privileges) are usually required to make settings that affect the computer's time synchronization using these clocks.

Without the required privileges, it is usually only possible to view and check the status and current settings, but most settings cannot be changed.

It is important to distinguish where extended privileges are needed. For example, changing the system time, starting or stopping services, etc., requires real operating system-level privileges, e.g., administrator privileges under Windows or “root” privileges under Linux and other Unix-like operating systems.

Additionally, there is a privilege check in the device drivers that determines whether or not certain configuration settings may be sent to a device.

Normally, this is also only permitted if extended privileges are available.

However, for some special applications, such as testing or commissioning, it may be useful or necessary to allow certain device configuration settings to be changed even without full administrator privileges.

If the monitor program mbgmon.exe from the Windows driver package is started without administrator rights, all buttons and menus that trigger actions that require administrator rights are normally grayed out, and the following message then appears in the window title bar: (Running without admin rights)

If writing of configuration data shall be allowed anyway, a specific value has to be set in the registry once. To do this, run the regedit program and navigate to the path containing information about the mbgclock kernel module:

\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mbgclock\

Unless it already exists, a subkey Parameters must be created under it, and in it a registry entry of type DWORD with the name Omit Access Restrictions and the value 1.

Alternatively, the file under the link below can be imported into the registry to create the entry automatically:

• mbgclock_omit_access_restrictions.reg

If the monitor program finds this registry value during startup, all buttons that can be used to write configuration data to the device are enabled, even if no real administrator privileges are present.

If the monitor program is then run without explicit administrator rights, this message appears in the window title bar: (Running without full admin rights)

PLEASE NOTE: This parameter only allows write access to the respective device. Changing the configuration parameters for the time service or starting or stopping the time service is still not possible, as this requires real admin rights.

Since real admin rights are also required to create this registry entry, it is impossible for an unprivileged user to use this option without the consent of an administrator.

Also under Linux, an unprivileged user is prevented by default from changing configuration settings of a device. Here, too, it may be necessary or desirable to override this privilege check during testing or commissioning of a device.

Since the driver package for Linux is always compiled from source code, a parameter OMIT_PRIV_CHECKING for the make program has been introduced for this purpose, which excludes the privilege check from compilation:

cd mbgtools-lx
make clean
make OMIT_PRIV_CHECKING=1
make install

If this parameter is specified, the following message appears when compiling the driver package to warn the user of the consequences:

IOCTL privilege checking is omitted at your own risk!

If the kernel module compiled in this way is loaded, even a non-privileged user can use the tools from the driver package to change the configuration of the supported PCI cards and USB devices, which in turn can indirectly affect the computer's time synchronization if the device is used as a reference time source.

For use on a purely test system, where privilege checking is usually always disabled, it may be useful to permanently enter the parameter in the environment so that it is not accidentally forgotten when compiling a new version of the driver package. For this purpose, the line

For use on a purely test system, where privilege checking is usually always disabled, it may be useful to permanently enter the parameter in the environment so that it is not accidentally forgotten when compiling a new version of the driver package. To do this, the line

export OMIT_PRIV_CHECKING=1

can be added to one of the command-line interpreter's configuration files (e.g., .profile, .bashrc, or similar). This ensures that the parameter is always taken into account, even if it is not explicitly specified when calling make.

Since the kernel module compiled in this way can only be installed or loaded by a user with “root” privileges, it is ensured that an unprivileged user cannot use this without administrator approval.

— Martin Burnicki martin.burnicki@meinberg.de, last updated 2025-10-10