On Wed, Oct 20, 2010 at 16:07, Alan Stern <stern@xxxxxxxxxxxxxxxxxxx> wrote:
> On Wed, 20 Oct 2010, Xiaofan Chen wrote:
>
>> On Wed, Oct 20, 2010 at 5:54 AM, Peter Stuge <peter@xxxxxxxx> wrote:
>> > Tim Roberts wrote:
>> >> ACTION=="add", SUBSYSTEM=="usb_device", SYSFS{idVendor}="hhhh", MODE="666"
>> >
>> > Please note that 666 is never a good mode to use. It means that every
>> > user in the system has direct access to the hardware device. In
>> > practise it removes all security from the system.
>> >
>> > Please make use of relevant groups, and use a mode like 660 or
>> > ideally only allow a single user access with mode 600.
>>
>> I think your recommendation is good. Unfortunately
>> the default udev rule for libusb device is not
>> really following your recommendation.
>>
>> >From udev 163 release's 50-udev-default.rules.
>> # libusb device nodes
>> SUBSYSTEM=="usb", ENV{DEVTYPE}=="usb_device", MODE="0664"
>>
>> I wonder if this is better changed to using the "usb" or "plugdev"
>> group and "0660". Then it is quite easy to ask the user to
>> add them to the "usb" or "plugdev" group in order to use libusb
>> based application as non-root user.
Users are not put into any groups for device access these days.
Certain classes of USB devices like printers, fingerprint readers,
scanners, webcams, ... get ACLs assigned for locally logged-in users
only.
Group permissions on devices can be used from remote-logins which
needs to be prevented for security reasons, like you don't want
anybody logged-in over ssh to enable your webcam, or listen to your
sound card.
Kay
--
To unsubscribe from this list: send the line "unsubscribe linux-hotplug" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
