LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices

Reply
 
LinkBack Search this Thread
Old 08-15-2009, 07:35 AM   #1
gearoid_murphy
Member
 
Registered: Mar 2006
Location: Ireland
Distribution: Debian Etch
Posts: 72

Rep: Reputation: 18
using pam to override file access restrictions


hello, I'm using a usb communication lib which needs read/write access to devices in /dev/bus/usb/

I can do this in root but I'd much rather not, is anyone aware of any way of using pam to override access to specific files?, I'm grasping at straws I know but I can't think of any other approach to this problem.

Some additional info about the file:
"crw-rw-r-- 1 root root 189, 2 2009-08-15 13:14 /dev/bus/usb/001/003"

Any help would be appreciated, thanks.
 
Old 08-16-2009, 09:18 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,539
Blog Entries: 51

Rep: Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604
See /etc/security/console.perms as in 'man 8 pam_console'? Else a HAL/Udev/whateverElseInUseTheseDays rule?
 
Old 08-17-2009, 10:44 AM   #3
gearoid_murphy
Member
 
Registered: Mar 2006
Location: Ireland
Distribution: Debian Etch
Posts: 72

Original Poster
Rep: Reputation: 18
unSpawn, that's an interesting solution but pam_console isn't on my system, I can't even find it with an "apt-file search" and that contains a complete map of files in a debian repository. It probably seems like there's something equivilant floating around so I'll dig a little deeper. Out of curiosity, have you ever got a working example of this kind of configuration?, even an obsolete configuration would be useful, cheers
 
Old 08-17-2009, 10:46 AM   #4
gearoid_murphy
Member
 
Registered: Mar 2006
Location: Ireland
Distribution: Debian Etch
Posts: 72

Original Poster
Rep: Reputation: 18
Also, I should mention that I've solved the problem of accessing the device in a non-root shell by using a different library, routing through the /dev/ttyUSB0 interface, it's an ftdi usb device. That said, i'd still like to expose the functionality in the systems you've mentioned
 
Old 08-17-2009, 11:11 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,539
Blog Entries: 51

Rep: Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604
Spanning 4 years the bug #166718 discussion might help explain what issues Debian saw with pam_console and elected to use pam_foreground instead. What pam_console basically does is chown files (remember everything is a file) to the user logging in for the duration of that session. If you have pam_foreground it should be in /etc/pam.d/common-session.
* I don't know what package pam_foreground is in and I do wonder if you should instead use PolicyKit/ConsoleKit...
 
Old 08-18-2009, 05:36 PM   #6
gearoid_murphy
Member
 
Registered: Mar 2006
Location: Ireland
Distribution: Debian Etch
Posts: 72

Original Poster
Rep: Reputation: 18
I installed pam_foreground, it's stored under libpam-foreground in apt. Now, when I login, there's a file called /var/run/console/gmurphy:1 which a program called check-foreground-console checks when evaluating my console ownership status (I think), this is all pretty interesting unSpawn, but I can't see a route towards overriding permissions on specific files using this approach, the documentation is very sparse, would you be able to advise on how I should proceed?
 
Old 08-19-2009, 03:05 AM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,539
Blog Entries: 51

Rep: Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604
I've had a look at Debian libpam.* packages to see if there's a pam_console equivalent and I can't find it. Since you have a basic idea of what pam_console does and what you want I'd suggest you proceed by creating a new PAM/Hal/Udev/Policykit-related thread in the Debian forum. Sorry I couldn't be of more help.
 
Old 08-26-2009, 03:43 AM   #8
gearoid_murphy
Member
 
Registered: Mar 2006
Location: Ireland
Distribution: Debian Etch
Posts: 72

Original Poster
Rep: Reputation: 18
Update, pam could provide a route to the solution if I explicitly setup a service (usb_read, for example) in pam.d, using the pam api I could patch into this service, authenticate and get access to the files in question either through changing my UID or creating a pam proxy which did the file access for me, a lot of work really. As it turns out, a simple init script which chowns and chgrps the proc files I need to access will work just fine as well
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Get pam time restrictions working for linux samba domain login. v2ueha6 Linux - Newbie 1 12-20-2008 03:40 AM
FTP access restrictions Fabian10 Linux - Server 2 11-28-2007 10:49 AM
Internet Access Restrictions SBN Linux - Security 30 07-04-2007 08:51 PM
vsftpd + pam + virtual users - Pam cannot load database file. mdkelly069 Linux - Networking 3 09-22-2004 11:07 PM
Strange file access restrictions in kernel-headers directory zero79 Debian 3 04-30-2004 10:17 PM


All times are GMT -5. The time now is 08:42 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration