Not an expert, but I don't think it would be proper for an application to change the ownership, group ownership, permissions or acls on a device node, if that is what you are thinking of doing. You didn't indicate this however.
I tried looking for Policies covering tape devices, and looked in /etc/udev/rules.d/60-persistent-storage-tape.rules for clues. Some distro's may use policy kit to allow a regular user matching certain criteria to read and write to the /dev/st0 or /dev/nst0 devices. PolicyKit grants access by using facls.
For example:
Code:
ls -ld /dev/dsp
crw-rw----+ 1 root audio 14, 3 Dec 6 07:35 /dev/dsp
jschiwal@hpmedia:/etc/udev/rules.d> getfacl /dev/dsp
getfacl: Removing leading '/' from absolute path names
# file: dev/dsp
# owner: root
# group: audio
user::rw-
user:jschiwal:rw-
group::rw-
mask::rw-
other::---
A service could start out as root and then demote it's own permissions. I think that "disk" group membership would allow writing to the tape device, but it would also allow writing to any disk.
If this application is a gui app, you might want to split it into a gui client running as the user and a service daemon running as root, or disk or your system group you mentioned. One technique is to start out as root and then demote ones self as soon as possible. You could spawn a process of your "system user" and keep the old process running a root, to be able to send control commands to the tape device.
If your application is a backup program, and needs to backup root-only readable files, then it will probably need to be run as root.
Perhaps study how amanda or a simlar program works. There is an Amanda user and it uses the disk group.
Quote:
Originally Posted by file:///usr/share/doc/howto/en/html/Linux-Complete-Backup-and-Recovery-HOWTO/overview.html
Amanda does require setting ownership by hand if you back up the amanda data directory with save.metadata. Something like:
bash# chown -R amanda:disk /var/lib/amanda
|
Sorry, I can't be of more help. Good Luck!