Package: ola
Version: 0.10.2-2
Tags: patch
Severity: important

When installing Debian, the initial user was traditionally made a member
of the plugdev group, and this granted access to local hardware dongles
when this user is logged in.  This approach causes problems for users
originating from directory services like LDAP and Active Directory, as
such plugdev membership can not be granted globally.  The plugdev
membership can be assigned during login (using pam_group), but still
this approach is problematic because left behind processes keep the
group membership even when the user is no longer logged in on the
machine, allowing background processes to get access to other peoples

There is an alternative to group membership for device access, using
file system ACLs, and with systemd this is the recommended default
according to the systemd maintainers.  To enable it for a given device,
the 'access' tag can be set.

Please do so for the ola udev rule, to allow the devices to work for any
console user, not only the one created during installation.  Here is a

diff --git a/debian/ola.udev b/debian/ola.udev
index 9ae7a8f..f6dc57b 100644
--- a/debian/ola.udev
+++ b/debian/ola.udev
@@ -1,30 +1,30 @@
 # udev rules for ftdi devices
-SUBSYSTEM=="usb|usb_device", ACTION=="add", ATTRS{idVendor}=="0403", 
ATTRS{idProduct}=="6001", GROUP="plugdev"
+SUBSYSTEM=="usb|usb_device", ACTION=="add", ATTRS{idVendor}=="0403", 
ATTRS{idProduct}=="6001", GROUP="plugdev", TAG+="uaccess"
 # udev rules for the anyma dmx device
-SUBSYSTEM=="usb|usb_device", ACTION=="add", ATTRS{idVendor}=="16c0", 
ATTRS{idProduct}=="05dc", GROUP="plugdev"
+SUBSYSTEM=="usb|usb_device", ACTION=="add", ATTRS{idVendor}=="16c0", 
ATTRS{idProduct}=="05dc", GROUP="plugdev", TAG+="uaccess"
 # udev rules for the usbdmx2 dmx device
-SUBSYSTEM=="usb|usb_device", ACTION=="add", ATTRS{idVendor}=="0962", 
+SUBSYSTEM=="usb|usb_device", ACTION=="add", ATTRS{idVendor}=="0962", 
GROUP="plugdev", TAG+="uaccess"
 # udev rules for the velleman dmx device
-SUBSYSTEM=="usb|usb_device", ACTION=="add", ATTRS{idVendor}=="10cf", 
ATTRS{idProduct}=="8062", GROUP="plugdev"
+SUBSYSTEM=="usb|usb_device", ACTION=="add", ATTRS{idVendor}=="10cf", 
ATTRS{idProduct}=="8062", GROUP="plugdev", TAG+="uaccess"
 # udev rules for the DMXControl Projects e.V. Nodle U1
-SUBSYSTEM=="usb|usb_device", ACTION=="add", ATTRS{idVendor}=="16d0", 
ATTRS{idProduct}=="0830", GROUP="plugdev"
+SUBSYSTEM=="usb|usb_device", ACTION=="add", ATTRS{idVendor}=="16d0", 
ATTRS{idProduct}=="0830", GROUP="plugdev", TAG+="uaccess"
 # udev rules for the Eurolite
-SUBSYSTEM=="usb|usb_device", ACTION=="add", ATTRS{idVendor}=="04d8", 
ATTRS{idProduct}=="fa63", GROUP="plugdev" MODE="660"
+SUBSYSTEM=="usb|usb_device", ACTION=="add", ATTRS{idVendor}=="04d8", 
ATTRS{idProduct}=="fa63", GROUP="plugdev" MODE="660", TAG+="uaccess"
 # udev rules file for the karate-device
 KERNEL=="ttyACM?", ATTRS{product}=="DMX2USB simple", SYMLINK+="kldmx0"
 # udev rules file for the Scanlime Fadecandy device
-SUBSYSTEM=="usb|usb_device", ACTION=="add", ATTRS{idVendor}=="1d50", 
ATTRS{idProduct}=="607a", GROUP="plugdev"
+SUBSYSTEM=="usb|usb_device", ACTION=="add", ATTRS{idVendor}=="1d50", 
ATTRS{idProduct}=="607a", GROUP="plugdev", TAG+="uaccess"
 # udev rules for Ja Rule
-SUBSYSTEM=="usb|usb_device", ACTION=="add", ATTRS{idVendor}=="1209", 
ATTRS{idProduct}=="aced", GROUP="plugdev" MODE="660"
-SUBSYSTEM=="usb|usb_device", ACTION=="add", ATTRS{idVendor}=="1209", 
ATTRS{idProduct}=="acee", GROUP="plugdev" MODE="660"
+SUBSYSTEM=="usb|usb_device", ACTION=="add", ATTRS{idVendor}=="1209", 
ATTRS{idProduct}=="aced", GROUP="plugdev" MODE="660", TAG+="uaccess"
+SUBSYSTEM=="usb|usb_device", ACTION=="add", ATTRS{idVendor}=="1209", 
ATTRS{idProduct}=="acee", GROUP="plugdev" MODE="660", TAG+="uaccess"
 # udev rules for SPI
 SUBSYSTEM=="spidev", MODE="0666"

I suspect the plugdev/mode part can be removed, but did not suggest to
do so at this time because I am unsure how it affect non-systemd users.

Happy hacking
Petter Reinholdtsen

Reply via email to