LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices

Reply
 
Search this Thread
Old 01-25-2007, 09:58 PM   #1
crxssi
Member
 
Registered: Apr 2005
Location: USA
Distribution: Mageia
Posts: 84

Rep: Reputation: 15
raw1394 permissions


I am having a problem in that the /dev/raw1394 device is being setup with the most possibly restrictive permissions:

crw------- 1 root root 171, 0 Jan 13 12:50 /dev/raw1394

It doesn't make sense for such a device to be owned by root, group root. 90% of the time, such a device is used by video cameras, with the balance being external hard drives. "root" as the group is inappropriate, it should probably be "video" or "disk" with 660. Even full access to sda is much less restrictive:

brw-rw---- 1 root disk 8, 0 Jan 22 19:07 /dev/sda

I checked the rules for the device, for Mandriva 2007.0 (this distro) it seems to be in "50-mdk.rules":

KERNEL=="raw1394", NAME="%k", GROUP="video"

Unless I am reading it wrong, it should be group video, which makes
sense. Looks about the same as sd*:

KERNEL=="sd*", NAME="%k", GROUP="disk",

What am I missing? I even tried to just open the device modes by adding

, MODE="0660"

and restarted udev with no change to the modes.
 
Old 01-27-2007, 08:14 AM   #2
tredegar
Guru
 
Registered: May 2003
Location: London, UK
Distribution: Ubuntu 10.04, mostly
Posts: 6,007

Rep: Reputation: 366Reputation: 366Reputation: 366Reputation: 366
From my 40-permissions.rules (kubuntu6.06.1):

Code:
# IEEE1394 (firewire) devices
# Please note that raw1394 gives unrestricted, raw access to every single
# device on the bus and those devices may do anything as root on your system.
# Yes, I know it also happens to be the only way to rewind your video camera,
# but it's not going to be group "video", okay?
KERNEL=="raw1394",                      GROUP="disk"
KERNEL=="dv1394*",                      GROUP="video"
KERNEL=="video1394*",                   GROUP="video"
If you really want to change this default behaviour, you may have to make changes to several of your *.rules files. Find which ones with
grep raw1394 /etc/udev/rules.d/*.rules
 
Old 01-27-2007, 10:23 AM   #3
crxssi
Member
 
Registered: Apr 2005
Location: USA
Distribution: Mageia
Posts: 84

Original Poster
Rep: Reputation: 15
I had already done that. There was no other rule that involved raw1394. But, I had some time today, and solved it.....

This is a long posting because hopefully some other people will find this information useful, even if they don't have my particular problem. If nothing else, the troubleshooting technique should be educational...

Problem: permissions and ownership of /dev/raw1394 on the thin clients at work running Mandriva 2007.0. The device is being setup with the most possibly restrictive permissions:

crw------- 1 root root 171, 0 Jan 13 12:50 /dev/raw1394

To me, that doesn't make sense for such a device to be owned by root, group root with read/write to owner only. It should be group "video" and 660, minimally. So I started looking at udev. Recursive grepping (grep -R) of /etc/udev uncovered the udev rule file of 50-mdk.rules. Inside is:

KERNEL=="raw1394", NAME="%k", GROUP="video"

Well, that is correct, we want the device to be group video, although there is no mention of permissions (modes) on the file, so I assumed there was a default when not specified. But since it was not group video, I assumed that either something was broken, or something else, other than udev was involved. Adding , MODE="0660" to the rule didn't help.

Then I got a little information I didn't know- on other people's systems, logging in through KDE, the device was still the wrong group and 660, but it belonged to the user that logged in. Hmm. This might explain why I couldn't find any other people with my problem... we don't log into thin clients! So I widened my search with "grep -R raw1394 /etc" and found this:

security/console.perms.d/50-default.perms:<raw1394>=/dev/raw1394
security/console.perms.d/50-default.perms:<console> 0600 <raw1394> 0600 root

The description of /etc/security/console.perms is: "This file determines the permissions that will be given to privileged users of the console at login time, and the permissions to which to
revert when the users log out. Default to 0600, root, and root, respectively "

Sound familiar? Those are the exact, restrictive permissions being applied to raw1394! I wanted to learn more... "man console.perms" shows this subsystem is being run by PAM (the pluggable authentication modules) every time someone logs in or out of the console. In this way, certain devices can remain "secure" when nobody is logged in, and still be changed to belong to the user that logs in. I used rpmdrake and verified that this whole /etc/security thing primarily is part of PAM.

So I changed:
<console> 0600 <raw1394> 0600 root to read
<console> 0660 <raw1394> 0660 root.video

And tried logging in and out to see the effects and it worked! Since I tested at home and had no other network system powered up, I tested to see what the permissions were when logged out by a simple:

at now + 1 min
ls -l /dev/raw1394 > /tmp/perm
^D

Then logged out and waited a min and looked at the contents of the file, sure enough, it works as expected both logged in and while logged out.
 
Old 01-27-2007, 11:10 AM   #4
tredegar
Guru
 
Registered: May 2003
Location: London, UK
Distribution: Ubuntu 10.04, mostly
Posts: 6,007

Rep: Reputation: 366Reputation: 366Reputation: 366Reputation: 366
Interesting, thanks for the update.
 
Old 03-17-2010, 04:00 PM   #5
crxssi
Member
 
Registered: Apr 2005
Location: USA
Distribution: Mageia
Posts: 84

Original Poster
Rep: Reputation: 15
Ug. Well, we upgraded our thin clients to Mandriva 2009.1 and the problem is still there, unfixed.

My instructions, above, are still valid, except the file to edit is now:

/etc/security/console.perms.d/50-mandriva.perms
 
  


Reply

Tags
firewire, kino, mandriva, permissions, udev, video


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ieee1394: /dev/raw1394 device node missing kevinatkins Linux - Hardware 4 12-16-2008 11:07 AM
file permissions OK, but command permissions? stabu Linux - General 2 10-05-2005 12:00 PM
/dev/raw1394 troubles DaveQB Linux - Hardware 18 03-28-2005 04:53 AM
what is raw1394 maximurs Linux - Hardware 0 03-19-2004 05:41 PM
help loading raw1394 device module jackstoage Linux - Software 3 03-04-2004 06:47 AM


All times are GMT -5. The time now is 05:04 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration