LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - General (http://www.linuxquestions.org/questions/linux-general-1/)
-   -   raw1394 permissions (http://www.linuxquestions.org/questions/linux-general-1/raw1394-permissions-522866/)

crxssi 01-25-2007 09:58 PM

raw1394 permissions
 
I am having a problem in that the /dev/raw1394 device is being setup with the most possibly restrictive permissions:

crw------- 1 root root 171, 0 Jan 13 12:50 /dev/raw1394

It doesn't make sense for such a device to be owned by root, group root. 90% of the time, such a device is used by video cameras, with the balance being external hard drives. "root" as the group is inappropriate, it should probably be "video" or "disk" with 660. Even full access to sda is much less restrictive:

brw-rw---- 1 root disk 8, 0 Jan 22 19:07 /dev/sda

I checked the rules for the device, for Mandriva 2007.0 (this distro) it seems to be in "50-mdk.rules":

KERNEL=="raw1394", NAME="%k", GROUP="video"

Unless I am reading it wrong, it should be group video, which makes
sense. Looks about the same as sd*:

KERNEL=="sd*", NAME="%k", GROUP="disk",

What am I missing? I even tried to just open the device modes by adding

, MODE="0660"

and restarted udev with no change to the modes. :(

tredegar 01-27-2007 08:14 AM

From my 40-permissions.rules (kubuntu6.06.1):

Code:

# IEEE1394 (firewire) devices
# Please note that raw1394 gives unrestricted, raw access to every single
# device on the bus and those devices may do anything as root on your system.
# Yes, I know it also happens to be the only way to rewind your video camera,
# but it's not going to be group "video", okay?
KERNEL=="raw1394",                      GROUP="disk"
KERNEL=="dv1394*",                      GROUP="video"
KERNEL=="video1394*",                  GROUP="video"

If you really want to change this default behaviour, you may have to make changes to several of your *.rules files. Find which ones with
grep raw1394 /etc/udev/rules.d/*.rules

crxssi 01-27-2007 10:23 AM

I had already done that. There was no other rule that involved raw1394. But, I had some time today, and solved it.....

This is a long posting because hopefully some other people will find this information useful, even if they don't have my particular problem. If nothing else, the troubleshooting technique should be educational...

Problem: permissions and ownership of /dev/raw1394 on the thin clients at work running Mandriva 2007.0. The device is being setup with the most possibly restrictive permissions:

crw------- 1 root root 171, 0 Jan 13 12:50 /dev/raw1394

To me, that doesn't make sense for such a device to be owned by root, group root with read/write to owner only. It should be group "video" and 660, minimally. So I started looking at udev. Recursive grepping (grep -R) of /etc/udev uncovered the udev rule file of 50-mdk.rules. Inside is:

KERNEL=="raw1394", NAME="%k", GROUP="video"

Well, that is correct, we want the device to be group video, although there is no mention of permissions (modes) on the file, so I assumed there was a default when not specified. But since it was not group video, I assumed that either something was broken, or something else, other than udev was involved. Adding , MODE="0660" to the rule didn't help.

Then I got a little information I didn't know- on other people's systems, logging in through KDE, the device was still the wrong group and 660, but it belonged to the user that logged in. Hmm. This might explain why I couldn't find any other people with my problem... we don't log into thin clients! So I widened my search with "grep -R raw1394 /etc" and found this:

security/console.perms.d/50-default.perms:<raw1394>=/dev/raw1394
security/console.perms.d/50-default.perms:<console> 0600 <raw1394> 0600 root

The description of /etc/security/console.perms is: "This file determines the permissions that will be given to privileged users of the console at login time, and the permissions to which to
revert when the users log out. Default to 0600, root, and root, respectively "

Sound familiar? Those are the exact, restrictive permissions being applied to raw1394! I wanted to learn more... "man console.perms" shows this subsystem is being run by PAM (the pluggable authentication modules) every time someone logs in or out of the console. In this way, certain devices can remain "secure" when nobody is logged in, and still be changed to belong to the user that logs in. I used rpmdrake and verified that this whole /etc/security thing primarily is part of PAM.

So I changed:
<console> 0600 <raw1394> 0600 root to read
<console> 0660 <raw1394> 0660 root.video

And tried logging in and out to see the effects and it worked! Since I tested at home and had no other network system powered up, I tested to see what the permissions were when logged out by a simple:

at now + 1 min
ls -l /dev/raw1394 > /tmp/perm
^D

Then logged out and waited a min and looked at the contents of the file, sure enough, it works as expected both logged in and while logged out.

tredegar 01-27-2007 11:10 AM

Interesting, thanks for the update.

crxssi 03-17-2010 04:00 PM

Ug. Well, we upgraded our thin clients to Mandriva 2009.1 and the problem is still there, unfixed.

My instructions, above, are still valid, except the file to edit is now:

/etc/security/console.perms.d/50-mandriva.perms


All times are GMT -5. The time now is 09:13 AM.