Re: udev permissions for USB

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, Oct 22, 2010 at 10:10 PM, Kay Sievers <kay.sievers@xxxxxxxx> wrote:
> On Wed, Oct 20, 2010 at 16:07, Alan Stern <stern@xxxxxxxxxxxxxxxxxxx> wrote:
>> On Wed, 20 Oct 2010, Xiaofan Chen wrote:
>>> >From udev 163 release's 50-udev-default.rules.
>>> # libusb device nodes
>>> SUBSYSTEM=="usb", ENV{DEVTYPE}=="usb_device", MODE="0664"
>>>
>>> I wonder if this is better changed to using the "usb" or "plugdev"
>>> group and "0660". Then it is quite easy to ask the user to
>>> add them to the "usb" or "plugdev" group in order to use libusb
>>> based application as non-root user.
>
> Users are not put into any groups for device access these days.
>
> Certain classes of USB devices like printers, fingerprint readers,
> scanners, webcams, ... get ACLs assigned for locally logged-in users
> only.
>
> Group permissions on devices can be used from remote-logins which
> needs to be prevented for security reasons, like you don't want
> anybody logged-in over ssh to enable your webcam, or listen to your
> sound card.
>

I wonder if the default udev rule for libusb device (Mode 0664) follow your
reasoning. I do not think group based rule (Mode 0660 and using "plugdev"
group) is any worse than the default libusb udev rule for remote logged-in
users.

And there are plenty of group based rules in 50-udev-default.rules,
like sound, video and firewire device.

Eg: all the lines above the default libusb rules.

# sound
SUBSYSTEM=="sound",		GROUP="audio"
KERNEL=="mixer0",		SYMLINK+="mixer"

# DVB (video)
SUBSYSTEM=="dvb", GROUP="video"

# FireWire (firewire-core driver: IIDC devices, AV/C devices)
SUBSYSTEM=="firewire", ATTR{units}=="*0x00a02d:0x00010*", GROUP="video"
SUBSYSTEM=="firewire", ATTR{units}=="*0x00b09d:0x00010*", GROUP="video"
SUBSYSTEM=="firewire", ATTR{units}=="*0x00a02d:0x010001*", GROUP="video"
SUBSYSTEM=="firewire", ATTR{units}=="*0x00a02d:0x014001*", GROUP="video"

# libusb device nodes
SUBSYSTEM=="usb", ENV{DEVTYPE}=="usb_device", MODE="0664"

Am I missing something obvious here?


-- 
Xiaofan
--
To unsubscribe from this list: send the line "unsubscribe linux-hotplug" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Kernel]     [Linux DVB]     [Asterisk Internet PBX]     [DCCP]     [Netdev]     [X.org]     [Util Linux NG]     [Fedora Women]     [ALSA Devel]     [Linux USB]

  Powered by Linux