|
using pam to override file access restrictions
hello, I'm using a usb communication lib which needs read/write access to devices in /dev/bus/usb/
I can do this in root but I'd much rather not, is anyone aware of any way of using pam to override access to specific files?, I'm grasping at straws I know but I can't think of any other approach to this problem. Some additional info about the file: "crw-rw-r-- 1 root root 189, 2 2009-08-15 13:14 /dev/bus/usb/001/003" Any help would be appreciated, thanks. |
See /etc/security/console.perms as in 'man 8 pam_console'? Else a HAL/Udev/whateverElseInUseTheseDays rule?
|
unSpawn, that's an interesting solution but pam_console isn't on my system, I can't even find it with an "apt-file search" and that contains a complete map of files in a debian repository. It probably seems like there's something equivilant floating around so I'll dig a little deeper. Out of curiosity, have you ever got a working example of this kind of configuration?, even an obsolete configuration would be useful, cheers
|
Also, I should mention that I've solved the problem of accessing the device in a non-root shell by using a different library, routing through the /dev/ttyUSB0 interface, it's an ftdi usb device. That said, i'd still like to expose the functionality in the systems you've mentioned
|
Spanning 4 years the bug #166718 discussion might help explain what issues Debian saw with pam_console and elected to use pam_foreground instead. What pam_console basically does is chown files (remember everything is a file) to the user logging in for the duration of that session. If you have pam_foreground it should be in /etc/pam.d/common-session.
* I don't know what package pam_foreground is in and I do wonder if you should instead use PolicyKit/ConsoleKit... |
I installed pam_foreground, it's stored under libpam-foreground in apt. Now, when I login, there's a file called /var/run/console/gmurphy:1 which a program called check-foreground-console checks when evaluating my console ownership status (I think), this is all pretty interesting unSpawn, but I can't see a route towards overriding permissions on specific files using this approach, the documentation is very sparse, would you be able to advise on how I should proceed?
|
I've had a look at Debian libpam.* packages to see if there's a pam_console equivalent and I can't find it. Since you have a basic idea of what pam_console does and what you want I'd suggest you proceed by creating a new PAM/Hal/Udev/Policykit-related thread in the Debian forum. Sorry I couldn't be of more help.
|
Update, pam could provide a route to the solution if I explicitly setup a service (usb_read, for example) in pam.d, using the pam api I could patch into this service, authenticate and get access to the files in question either through changing my UID or creating a pam proxy which did the file access for me, a lot of work really. As it turns out, a simple init script which chowns and chgrps the proc files I need to access will work just fine as well
|
| All times are GMT -5. The time now is 07:34 AM. |