-   Linux - General (
-   -   using pam to override file access restrictions (

gearoid_murphy 08-15-2009 07:35 AM

using pam to override file access restrictions
hello, I'm using a usb communication lib which needs read/write access to devices in /dev/bus/usb/

I can do this in root but I'd much rather not, is anyone aware of any way of using pam to override access to specific files?, I'm grasping at straws I know but I can't think of any other approach to this problem.

Some additional info about the file:
"crw-rw-r-- 1 root root 189, 2 2009-08-15 13:14 /dev/bus/usb/001/003"

Any help would be appreciated, thanks.

unSpawn 08-16-2009 09:18 AM

See /etc/security/console.perms as in 'man 8 pam_console'? Else a HAL/Udev/whateverElseInUseTheseDays rule?

gearoid_murphy 08-17-2009 10:44 AM

unSpawn, that's an interesting solution but pam_console isn't on my system, I can't even find it with an "apt-file search" and that contains a complete map of files in a debian repository. It probably seems like there's something equivilant floating around so I'll dig a little deeper. Out of curiosity, have you ever got a working example of this kind of configuration?, even an obsolete configuration would be useful, cheers

gearoid_murphy 08-17-2009 10:46 AM

Also, I should mention that I've solved the problem of accessing the device in a non-root shell by using a different library, routing through the /dev/ttyUSB0 interface, it's an ftdi usb device. That said, i'd still like to expose the functionality in the systems you've mentioned

unSpawn 08-17-2009 11:11 AM

Spanning 4 years the bug #166718 discussion might help explain what issues Debian saw with pam_console and elected to use pam_foreground instead. What pam_console basically does is chown files (remember everything is a file) to the user logging in for the duration of that session. If you have pam_foreground it should be in /etc/pam.d/common-session.
* I don't know what package pam_foreground is in and I do wonder if you should instead use PolicyKit/ConsoleKit...

gearoid_murphy 08-18-2009 05:36 PM

I installed pam_foreground, it's stored under libpam-foreground in apt. Now, when I login, there's a file called /var/run/console/gmurphy:1 which a program called check-foreground-console checks when evaluating my console ownership status (I think), this is all pretty interesting unSpawn, but I can't see a route towards overriding permissions on specific files using this approach, the documentation is very sparse, would you be able to advise on how I should proceed?

unSpawn 08-19-2009 03:05 AM

I've had a look at Debian libpam.* packages to see if there's a pam_console equivalent and I can't find it. Since you have a basic idea of what pam_console does and what you want I'd suggest you proceed by creating a new PAM/Hal/Udev/Policykit-related thread in the Debian forum. Sorry I couldn't be of more help.

gearoid_murphy 08-26-2009 03:43 AM

Update, pam could provide a route to the solution if I explicitly setup a service (usb_read, for example) in pam.d, using the pam api I could patch into this service, authenticate and get access to the files in question either through changing my UID or creating a pam proxy which did the file access for me, a lot of work really. As it turns out, a simple init script which chowns and chgrps the proc files I need to access will work just fine as well

All times are GMT -5. The time now is 01:00 PM.