Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
 |
GNU/Linux Basic Guide
This 255-page guide will provide you with the keys to understand the philosophy of free software, teach you how to use and handle it, and give you the tools required to move easily in the world of GNU/Linux. Many users and administrators will be taking their first steps with this GNU/Linux Basic guide and it will show you how to approach and solve the problems you encounter.
Click Here to receive this Complete Guide absolutely free. |
|
 |
01-25-2007, 09:58 PM
|
#1
|
|
Member
Registered: Apr 2005
Location: USA
Distribution: Mageia
Posts: 84
Rep: 
|
raw1394 permissions
I am having a problem in that the /dev/raw1394 device is being setup with the most possibly restrictive permissions:
crw------- 1 root root 171, 0 Jan 13 12:50 /dev/raw1394
It doesn't make sense for such a device to be owned by root, group root. 90% of the time, such a device is used by video cameras, with the balance being external hard drives. "root" as the group is inappropriate, it should probably be "video" or "disk" with 660. Even full access to sda is much less restrictive:
brw-rw---- 1 root disk 8, 0 Jan 22 19:07 /dev/sda
I checked the rules for the device, for Mandriva 2007.0 (this distro) it seems to be in "50-mdk.rules":
KERNEL=="raw1394", NAME="%k", GROUP="video"
Unless I am reading it wrong, it should be group video, which makes
sense. Looks about the same as sd*:
KERNEL=="sd*", NAME="%k", GROUP="disk",
What am I missing? I even tried to just open the device modes by adding
, MODE="0660"
and restarted udev with no change to the modes.  |
|
|
|
|
01-27-2007, 08:14 AM
|
#2
|
|
Guru
Registered: May 2003
Location: London, UK
Distribution: Ubuntu 10.04, mostly
Posts: 6,002
|
From my 40-permissions.rules (kubuntu6.06.1):
Code:
# IEEE1394 (firewire) devices
# Please note that raw1394 gives unrestricted, raw access to every single
# device on the bus and those devices may do anything as root on your system.
# Yes, I know it also happens to be the only way to rewind your video camera,
# but it's not going to be group "video", okay?
KERNEL=="raw1394", GROUP="disk"
KERNEL=="dv1394*", GROUP="video"
KERNEL=="video1394*", GROUP="video"
If you really want to change this default behaviour, you may have to make changes to several of your *.rules files. Find which ones with
grep raw1394 /etc/udev/rules.d/*.rules |
|
|
|
|
01-27-2007, 10:23 AM
|
#3
|
|
Member
Registered: Apr 2005
Location: USA
Distribution: Mageia
Posts: 84
Original Poster
Rep:
|
I had already done that. There was no other rule that involved raw1394. But, I had some time today, and solved it.....
This is a long posting because hopefully some other people will find this information useful, even if they don't have my particular problem. If nothing else, the troubleshooting technique should be educational...
Problem: permissions and ownership of /dev/raw1394 on the thin clients at work running Mandriva 2007.0. The device is being setup with the most possibly restrictive permissions:
crw------- 1 root root 171, 0 Jan 13 12:50 /dev/raw1394
To me, that doesn't make sense for such a device to be owned by root, group root with read/write to owner only. It should be group "video" and 660, minimally. So I started looking at udev. Recursive grepping (grep -R) of /etc/udev uncovered the udev rule file of 50-mdk.rules. Inside is:
KERNEL=="raw1394", NAME="%k", GROUP="video"
Well, that is correct, we want the device to be group video, although there is no mention of permissions (modes) on the file, so I assumed there was a default when not specified. But since it was not group video, I assumed that either something was broken, or something else, other than udev was involved. Adding , MODE="0660" to the rule didn't help.
Then I got a little information I didn't know- on other people's systems, logging in through KDE, the device was still the wrong group and 660, but it belonged to the user that logged in. Hmm. This might explain why I couldn't find any other people with my problem... we don't log into thin clients! So I widened my search with "grep -R raw1394 /etc" and found this:
security/console.perms.d/50-default.perms:<raw1394>=/dev/raw1394
security/console.perms.d/50-default.perms:<console> 0600 <raw1394> 0600 root
The description of /etc/security/console.perms is: "This file determines the permissions that will be given to privileged users of the console at login time, and the permissions to which to
revert when the users log out. Default to 0600, root, and root, respectively "
Sound familiar? Those are the exact, restrictive permissions being applied to raw1394! I wanted to learn more... "man console.perms" shows this subsystem is being run by PAM (the pluggable authentication modules) every time someone logs in or out of the console. In this way, certain devices can remain "secure" when nobody is logged in, and still be changed to belong to the user that logs in. I used rpmdrake and verified that this whole /etc/security thing primarily is part of PAM.
So I changed:
<console> 0600 <raw1394> 0600 root to read
<console> 0660 <raw1394> 0660 root.video
And tried logging in and out to see the effects and it worked! Since I tested at home and had no other network system powered up, I tested to see what the permissions were when logged out by a simple:
at now + 1 min
ls -l /dev/raw1394 > /tmp/perm
^D
Then logged out and waited a min and looked at the contents of the file, sure enough, it works as expected both logged in and while logged out.
|
|
|
|
|
01-27-2007, 11:10 AM
|
#4
|
|
Guru
Registered: May 2003
Location: London, UK
Distribution: Ubuntu 10.04, mostly
Posts: 6,002
|
Interesting, thanks for the update.
|
|
|
|
|
03-17-2010, 04:00 PM
|
#5
|
|
Member
Registered: Apr 2005
Location: USA
Distribution: Mageia
Posts: 84
Original Poster
Rep:
|
Ug. Well, we upgraded our thin clients to Mandriva 2009.1 and the problem is still there, unfixed.
My instructions, above, are still valid, except the file to edit is now:
/etc/security/console.perms.d/50-mandriva.perms
|
|
|
|
| Thread Tools |
Search this Thread |
|
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT -5. The time now is 11:15 AM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
