Re: [sigrok-devel] udev rules, TAG+="uaccess" desirable?
Hi, thanks everyone for the discussions and proposals! I've decided to fix this via a mix of the proposed solutions, see bug #665 (now closed) for details: http://sigrok.org/bugzilla/show_bug.cgi?id=665 Cheers, Uwe. -- http://hermann-uwe.de | http://randomprojects.org | http://sigrok.org -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ sigrok-devel mailing list sigrok-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sigrok-devel
Re: [sigrok-devel] udev rules, TAG+="uaccess" desirable?
On Sat, Dec 31, 2016 at 07:47:54AM -, Karl Palsson wrote: > > | Modern desktop systems with systemd recommend this way to give users > > | access to devices. We change permissions to sane value along the way. > > > > The change allows access to the devices by users which have > > physical access to the machine, while it prevents remote users > > from accessing the device. The Debian note reads: > > Really? Pretty sure that "uaccess" is users with access, no > matter where they are. "useat" is the special tag for local > users. > > But hey, systemd documentation, who knows where the answer really > is. Their documentation sucks indeed. Accoding to what I was able to gather, uaccess tag is eventually handled by calling udevd's builtin "uaccess" which is processed by https://github.com/systemd/systemd/blob/master/src/udev/udev-builtin-uaccess.c It seems pretty explicit about giving permissions strictly for the user that's currently active on "seat0" (or any other seat if the rules processing resulted in assigning appropriate ID_SEAT property). According to [2] "ssh logins" do not get assigned to any seat anyhow. [2] https://www.freedesktop.org/wiki/Software/systemd/multiseat/ -- Be free, use free (http://www.gnu.org/philosophy/free-sw.html) software! mailto:fercer...@gmail.com -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ sigrok-devel mailing list sigrok-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sigrok-devel
Re: [sigrok-devel] udev rules, TAG+="uaccess" desirable?
Gerhard Sittig wrote: > OpenOCD commit a5cff3acd377 adjusted their udev rules, > motivated by > https://lists.debian.org/debian-devel-announce/2016/11/msg8.html > which recommends switching from > > MODE="664", GROUP="plugdev" > > to > > MODE="660", GROUP="plugdev", TAG+="uaccess" > > The commit log (partially) reads: > > | Modern desktop systems with systemd recommend this way to give users > | access to devices. We change permissions to sane value along the way. > > The change allows access to the devices by users which have > physical access to the machine, while it prevents remote users > from accessing the device. The Debian note reads: Really? Pretty sure that "uaccess" is users with access, no matter where they are. "useat" is the special tag for local users. But hey, systemd documentation, who knows where the answer really is. signature.asc Description: OpenPGP Digital Signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ sigrok-devel mailing list sigrok-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sigrok-devel
Re: [sigrok-devel] udev rules, TAG+="uaccess" desirable?
On 29.12.2016 12:38, Stefan Bruens wrote: > Talking with my distribution/maintainers hat on, I am strictly against > changing the format here: > > 1. Adapting the current file to distribution needs is a sed 1-liner This is even a sed 1-liner in case of Martin's solution [0] :) [0]: https://github.com/s09bQ5/libsigrok/blob/75dab8c5/contrib/usb_device_ids.txt > 2. Don't change anything that is not broken Yes okay, if you consider the rules being examples and not set in stone. Otherwise, it's obviously broken at least for Fedora. > 3. udev rules are not as distribution specific as some people assume, > actually > the "group=plugdev" is the odd one here OK, it seems to me that the last part of that sentence is indeed an argument for distribution-specificness. Though I don't know enough about cross-distro-udev to say anything about plugdev being the only issue, if so, then the sed solution should be enough. If not, I'd rather tend to Martin's solution. > Sticking with a valid udev rules file also allows users doing manual > compilation/installation to use the file as is. > > *If* one wanted to reduce the amount of eventual changes a distributor or > user > with local install has to do, the approach done by sane and libgphoto might > be > more sensible: > > 1. Add a tag to every matched device, e.g. 'ATTR{idProduct}=="1234" > ENV{libsigrok_matched}="yes"' > 2. Set the permissions in a single rule, e.g. 'ENV{libsigrok_matched}=="yes" > GROUP="plugdev"' Ah. That sounds like a better solution to me, but distributions will still have to edit it, although not every line. - Roland -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ sigrok-devel mailing list sigrok-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sigrok-devel
Re: [sigrok-devel] udev rules, TAG+="uaccess" desirable?
On Thu, Dec 29, 2016 at 01:54:52AM +, Martin Ling wrote: > On Wed, Dec 28, 2016 at 11:49:50AM +0300, Paul Fertser wrote: > > > > So what libsigrok usecase on what particular OS won't be covered by > > doing all three of these: > > > > 1. plugdev group assignment > > 2. uaccess tag > > 3. ModemManager antidote? > > Apparently this wouldn't be acceptable on Fedora - they wanted uaccess > only. That was what led to the discussion in our bug #665. But here we are not talking about providing udev rules that can be distributed by Fedora in their official RPM. We are talking about providing some default (example) udev rules that should work on (almost ?) all linux distro using udev, for users building sigrok themselves, so they can get up and running as easily as possible. And from the bug repport and various other linked repports, I see no hints that GROUP="plugdev" would prevent the uaccess tag to work on Fedora. It may only print a warning that the plugdev group doesn't exist. So I think the proposed solution to have an example udev rules file with both plugdev group and uaccess tag is a good and simple solution that should work fine in pretty much all situations. Aurel -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ sigrok-devel mailing list sigrok-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sigrok-devel
Re: [sigrok-devel] udev rules, TAG+="uaccess" desirable?
On Donnerstag, 29. Dezember 2016 05:28:33 CET Roland Hieber wrote: > On 29.12.2016 02:54, Martin Ling wrote: > > On Wed, Dec 28, 2016 at 11:49:50AM +0300, Paul Fertser wrote: > >> So what libsigrok usecase on what particular OS won't be covered by > >> doing all three of these: > >> > >> 1. plugdev group assignment > >> 2. uaccess tag > >> 3. ModemManager antidote? > > > > Apparently this wouldn't be acceptable on Fedora - they wanted uaccess > > only. That was what led to the discussion in our bug #665. > > As mentioned in that bugreport, upstream udev files can only serve as an > example and it is the job of the distributions to come up with the > actual rules, the right groups, tags, etc. (And boy, don't get me > started on that modem-manager stuff.) In that manner, udev files are a > lot like SysV init scripts... > > The problem will probably consist in the future: users who find the udev > rules will take them for granted, and if they don't work, either rant > about it, or report bugs. Both is bad for us, since we cannot patch > distribution-specific things. > > We could prefix the rules file with a big comment that it is only meant > as a template, but that doesn't help the users at all, since the actual > rule implementation (groups, tags, ...) is distribution-specific and we > cannot link to documentation for all distributions. > > Even if we provided a script to read VIDs/PIDs from a file to generate > udev rules, that script needed to have specific parts for every > distribution. > > So I think the best way is to replace contrib/z60_libsigrok.rules with a > plain (machine-readable) list of VIDs/PIDs for known hardware, and a > notice for the users saying they need to figure out the udev rules > themselves. Talking with my distribution/maintainers hat on, I am strictly against changing the format here: 1. Adapting the current file to distribution needs is a sed 1-liner 2. Don't change anything that is not broken 3. udev rules are not as distribution specific as some people assume, actually the "group=plugdev" is the odd one here Sticking with a valid udev rules file also allows users doing manual compilation/installation to use the file as is. *If* one wanted to reduce the amount of eventual changes a distributor or user with local install has to do, the approach done by sane and libgphoto might be more sensible: 1. Add a tag to every matched device, e.g. 'ATTR{idProduct}=="1234" ENV{libsigrok_matched}="yes"' 2. Set the permissions in a single rule, e.g. 'ENV{libsigrok_matched}=="yes" GROUP="plugdev"' Kind regards, Stefan -- Stefan Brüns / Bergstraße 21 / 52062 Aachen home: +49 241 53809034 mobile: +49 151 50412019 work: +49 2405 49936-424 -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ sigrok-devel mailing list sigrok-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sigrok-devel
Re: [sigrok-devel] udev rules, TAG+="uaccess" desirable?
On 29.12.2016 02:54, Martin Ling wrote: > On Wed, Dec 28, 2016 at 11:49:50AM +0300, Paul Fertser wrote: >> >> So what libsigrok usecase on what particular OS won't be covered by >> doing all three of these: >> >> 1. plugdev group assignment >> 2. uaccess tag >> 3. ModemManager antidote? > > Apparently this wouldn't be acceptable on Fedora - they wanted uaccess > only. That was what led to the discussion in our bug #665. As mentioned in that bugreport, upstream udev files can only serve as an example and it is the job of the distributions to come up with the actual rules, the right groups, tags, etc. (And boy, don't get me started on that modem-manager stuff.) In that manner, udev files are a lot like SysV init scripts... The problem will probably consist in the future: users who find the udev rules will take them for granted, and if they don't work, either rant about it, or report bugs. Both is bad for us, since we cannot patch distribution-specific things. We could prefix the rules file with a big comment that it is only meant as a template, but that doesn't help the users at all, since the actual rule implementation (groups, tags, ...) is distribution-specific and we cannot link to documentation for all distributions. Even if we provided a script to read VIDs/PIDs from a file to generate udev rules, that script needed to have specific parts for every distribution. So I think the best way is to replace contrib/z60_libsigrok.rules with a plain (machine-readable) list of VIDs/PIDs for known hardware, and a notice for the users saying they need to figure out the udev rules themselves. ... After coming up with a possible patch myself, I noticed that I got to the same solution like Martin did in [0] :-) So I vote for that branch to be cherry-picked from, though I would probably spare the last commit (4d90d66, Add script to generate udev rules) for the reasons mentioned above. [0]: https://github.com/s09bQ5/libsigrok/commits/remove-udev-rules - Roland -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ sigrok-devel mailing list sigrok-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sigrok-devel
Re: [sigrok-devel] udev rules, TAG+="uaccess" desirable?
On Wed, Dec 28, 2016 at 11:49:50AM +0300, Paul Fertser wrote: > > So what libsigrok usecase on what particular OS won't be covered by > doing all three of these: > > 1. plugdev group assignment > 2. uaccess tag > 3. ModemManager antidote? Apparently this wouldn't be acceptable on Fedora - they wanted uaccess only. That was what led to the discussion in our bug #665. Martin -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ sigrok-devel mailing list sigrok-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sigrok-devel
Re: [sigrok-devel] udev rules, TAG+="uaccess" desirable?
On Tue, Dec 27, 2016 at 08:22:13PM +0100, Andrzej Telszewski wrote: > On 27/12/16 19:04, Paul Fertser wrote: > > I'm not trying to argue here but it would be useful to know what > > modern distros are not covered by both plugdev and uaccess combined? > > I would have to investigate what uaccess is all about. Upstream udev includes 73-seat-late.rules [0] which basically calls uaccess builtin [1] that assigns permissions appropriately for the current "seat" (i.e., physical session), more documentation explaining seats is available at [2]. I have an impression this mechanism allows both access for the current user when hotplugging as well as access for another user after a new session is established [3]. > I'm using Slackware, which is non-systemd distribution. For OSes that do not run systemd, nothing should be changing by adding uaccess tag (I'm proposing to retain plugdev group assignment intact and to use the tag method in addition to it). So what libsigrok usecase on what particular OS won't be covered by doing all three of these: 1. plugdev group assignment 2. uaccess tag 3. ModemManager antidote? (as a sidenote, OpenOCD doesn't have to deal with MM because most JTAG adapters are not serial/ACM/etc ports, so MM doesn't try to probe them anyhow, and those it tries do not mind) I hope this clears it up a bit. [0] https://github.com/systemd/systemd/blob/master/src/login/73-seat-late.rules.in [1] https://github.com/systemd/systemd/blob/master/src/udev/udev-builtin-uaccess.c [2] https://www.freedesktop.org/wiki/Software/systemd/multiseat/ [3] https://github.com/systemd/systemd/blob/master/src/login/logind-acl.c -- Be free, use free (http://www.gnu.org/philosophy/free-sw.html) software! mailto:fercer...@gmail.com -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ sigrok-devel mailing list sigrok-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sigrok-devel
Re: [sigrok-devel] udev rules, TAG+="uaccess" desirable?
On 27/12/16 19:04, Paul Fertser wrote: > I'm not trying to argue here but it would be useful to know what > modern distros are not covered by both plugdev and uaccess combined? I would have to investigate what uaccess is all about. I'm using Slackware, which is non-systemd distribution. Although I'm familiar with "plugdev" group, I don't know about "uaccess". There seem to be no notion of it in all the system rules, except for: $ grep -R uaccess 70-udev-acl.rules:TEST=="/sys/fs/cgroup/systemd", TAG=="uaccess", GOTO="acl_end" -- Best regards, Andrzej Telszewski -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ sigrok-devel mailing list sigrok-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sigrok-devel
Re: [sigrok-devel] udev rules, TAG+="uaccess" desirable?
Hi Martin, On Tue, Dec 27, 2016 at 03:38:30PM +, Martin Ling wrote: > http://sigrok.org/bugzilla/show_bug.cgi?id=665 > > In short, there is no rules file we can supply that will work for all > users on all distributions. I'm not trying to argue here but it would be useful to know what modern distros are not covered by both plugdev and uaccess combined? Having a suitable file directly in upstream might be useful for those building from the sources, I think. -- Be free, use free (http://www.gnu.org/philosophy/free-sw.html) software! mailto:fercer...@gmail.com -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ sigrok-devel mailing list sigrok-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sigrok-devel
Re: [sigrok-devel] udev rules, TAG+="uaccess" desirable?
On Tue, Dec 27, 2016 at 03:38:30PM +, Martin Ling wrote: > > I believe someone else implemented a script to generate things from this > too, but I forget who it was or where they published it. Found it: https://github.com/s09bQ5/libsigrok/commits/remove-udev-rules This generates both udev rules (with either plugdev or uaccess) and the XML format needed for Android. Martin -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ sigrok-devel mailing list sigrok-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sigrok-devel
Re: [sigrok-devel] udev rules, TAG+="uaccess" desirable?
On Dienstag, 27. Dezember 2016 15:38:30 CET Martin Ling wrote: > Hi, > > Please see the previous discussion about this issue on bug 665: > > http://sigrok.org/bugzilla/show_bug.cgi?id=665 > > In short, there is no rules file we can supply that will work for all > users on all distributions. My proposal was that we remove the rules > file entirely, and replace it with a machine readable list of VID/PID > pairs that libsigrok is interested in, along with a script to generate > udev rules files from this as well as similar things for other systems, > e.g. I think there is some list that has to be provided to Android for > it to allow PulseView to use USB devices on that platform. > > I did some work on this about a year ago: > https://github.com/martinling/libsigrok/commits/remove-udev-rules > > I believe someone else implemented a script to generate things from this > too, but I forget who it was or where they published it. openSUSE uses the following snippet (RPM syntax) to generate its udev rules file: %define action TAG+="uaccess" %define mm_ignore ENV{ID_MM_DEVICE_IGNORE}="1" install -d -m 755 %{buildroot}%{_udevrulesdir} sed 's/MODE="664".*/%{action}, %{mm_ignore}/' contrib/z60_libsigrok.rules \ > %{buildroot}%{_udevrulesdir}/50-libsigrok.rules I thinks thats simple enough ... Kind regards, Stefan -- Stefan Brüns / Bergstraße 21 / 52062 Aachen home: +49 241 53809034 mobile: +49 151 50412019 work: +49 2405 49936-424 -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ sigrok-devel mailing list sigrok-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sigrok-devel
Re: [sigrok-devel] udev rules, TAG+="uaccess" desirable?
Hi, Please see the previous discussion about this issue on bug 665: http://sigrok.org/bugzilla/show_bug.cgi?id=665 In short, there is no rules file we can supply that will work for all users on all distributions. My proposal was that we remove the rules file entirely, and replace it with a machine readable list of VID/PID pairs that libsigrok is interested in, along with a script to generate udev rules files from this as well as similar things for other systems, e.g. I think there is some list that has to be provided to Android for it to allow PulseView to use USB devices on that platform. I did some work on this about a year ago: https://github.com/martinling/libsigrok/commits/remove-udev-rules I believe someone else implemented a script to generate things from this too, but I forget who it was or where they published it. Martin On Tue, Dec 27, 2016 at 01:02:21PM +0100, Gerhard Sittig wrote: > > OpenOCD commit a5cff3acd377 adjusted their udev rules, motivated by > https://lists.debian.org/debian-devel-announce/2016/11/msg8.html > which recommends switching from > > MODE="664", GROUP="plugdev" > > to > > MODE="660", GROUP="plugdev", TAG+="uaccess" > > The commit log (partially) reads: > > | Modern desktop systems with systemd recommend this way to give users > | access to devices. We change permissions to sane value along the way. > > The change allows access to the devices by users which have > physical access to the machine, while it prevents remote users > from accessing the device. The Debian note reads: > > | Adding the uaccess tag to udev rules > | > | > | Packages containing udev rules that use GROUP="plugdev" should also add > | TAG+="uaccess" so that all users that are physically present can access > | the relevant devices, instead of just users in the plugdev group > | (GROUP="plugdev"). Some packages use MODE="666" to allow all users > | (including remote users) to access devices. For almost all devices it is > | probably more appropriate to switch from MODE="666" to GROUP="plugdev", > | MODE="660", TAG+="uaccess" so that remote users cannot access local > | devices. Check the wiki page for USB gadgets[13] for more hints. > | There is a lintian warning in progress[14] for these issues. > | > | -- Paul Wise & Petter Reinholdtsen > | > | [13] https://wiki.debian.org/USB/GadgetSetup > | [14] https://bugs.debian.org/841670 > > > This is a web document with the actual commit that I could find, > for those who don't have a local OpenOCD repo at hand: > https://sourceforge.net/p/openocd/mailman/message/35569241/ > (sorry for the evil formatting). > > > Is a similar change desirable for the libsigrok component? > > > virtually yours > Gerhard Sittig > -- > If you don't understand or are scared by any of the above > ask your parents or an adult to help you. > > -- > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > ___ > sigrok-devel mailing list > sigrok-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/sigrok-devel > -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ sigrok-devel mailing list sigrok-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sigrok-devel
Re: [sigrok-devel] udev rules, TAG+="uaccess" desirable?
On Tue, Dec 27, 2016 at 14:03 +0100, Stefan Bruens wrote: > > On Dienstag, 27. Dezember 2016 13:02:21 CET Gerhard Sittig wrote: > > OpenOCD commit a5cff3acd377 adjusted their udev rules, motivated by > > https://lists.debian.org/debian-devel-announce/2016/11/msg8.html > > which recommends switching from > > > > MODE="664", GROUP="plugdev" > > > > to > > > > MODE="660", GROUP="plugdev", TAG+="uaccess" > > The openSUSE packages use the uaccess tag since ages, the rules also have > ENV{ID_MM_DEVICE_IGNORE}="1" Oh, you bring up (unhappy) memories of the pesky modem manager, which won't even respect this ignore flag depending on its version or implementation. Recently I gave up fighting and uninstalled this stubborn and unwilling piece of software, after running out of ideas what else to try. Even if the modem manager finds the "recently discovered modem" unresponsive, and releases access to the device so that other software can access it, I still found the device unusable (dazed and confused, not trying to continue) after the modem manager talked to it. Unplugging and re-plugging does not help, as the mm again insists in confusing the device. This was hopeless. :( Or is it the "cable" provider's fault when they claim they'd be ACM devices (modems) when they should be CDC (serial ports)? Is this something Windows motivated(?) like the HID disguise, just to not have to install some drivers? While generic CDC should be there out of the box, what exactly is the problem they try to solve? After trying several approaches, I got tired of mass-editing many individual lines, and used to (locally) add some extra rules with "wider scope" (less specific) that do the MM related adjustment, and take effect _in addition to_ the individual rules with specific VID/PID that adjust the permissions and optionally symlink the /dev entry. And I have to admit that I never bothered looking into rule file names and their ordering, except for doing every local adjustment "late" (in the 90ies range), to not interfere with distro stuff. I never tried to put my local mods "in between" distro provided rule sets. So my ignorance might have contributed to the trouble. :) Thank you for confirming that "uaccess" TAG properties are not unusual and should be acceptable, at least not harmful. virtually yours Gerhard Sittig -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ sigrok-devel mailing list sigrok-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sigrok-devel
Re: [sigrok-devel] udev rules, TAG+="uaccess" desirable?
On Dienstag, 27. Dezember 2016 13:02:21 CET Gerhard Sittig wrote: > OpenOCD commit a5cff3acd377 adjusted their udev rules, motivated by > https://lists.debian.org/debian-devel-announce/2016/11/msg8.html > which recommends switching from > > MODE="664", GROUP="plugdev" > > to > > MODE="660", GROUP="plugdev", TAG+="uaccess" The openSUSE packages use the uaccess tag since ages, the rules also have ENV{ID_MM_DEVICE_IGNORE}="1" Kind regards, Stefan -- Stefan Brüns / Bergstraße 21 / 52062 Aachen home: +49 241 53809034 mobile: +49 151 50412019 work: +49 2405 49936-424 -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ sigrok-devel mailing list sigrok-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sigrok-devel
Re: [sigrok-devel] udev rules, TAG+="uaccess" desirable?
Hello, On Tue, Dec 27, 2016 at 01:02:21PM +0100, Gerhard Sittig wrote: > OpenOCD commit a5cff3acd377 adjusted their udev rules, motivated by > https://lists.debian.org/debian-devel-announce/2016/11/msg8.html > which recommends switching from > > MODE="664", GROUP="plugdev" > > to > > MODE="660", GROUP="plugdev", TAG+="uaccess" > > The commit log (partially) reads: > > | Modern desktop systems with systemd recommend this way to give users > | access to devices. We change permissions to sane value along the way. > > The change allows access to the devices by users which have > physical access to the machine, while it prevents remote users > from accessing the device. Unless those remote users belong to the plugdev group. So for the existing configurations it should still work as before. For new users that have never added themselves to the plugdev group, it should work out of the box when they run a physical access session. For remote operation they'll just have to add themselves to plugdev as before. 664 -> 660 change makes sense either way, as having only read permissions for a USB device does nothing and looks odd. Please also keep in mind that numbering is important and that the rules need to appear numerically before the *seat*.rules files. Please correct me if I'm wrong. -- Be free, use free (http://www.gnu.org/philosophy/free-sw.html) software! mailto:fercer...@gmail.com -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ sigrok-devel mailing list sigrok-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sigrok-devel
[sigrok-devel] udev rules, TAG+="uaccess" desirable?
OpenOCD commit a5cff3acd377 adjusted their udev rules, motivated by https://lists.debian.org/debian-devel-announce/2016/11/msg8.html which recommends switching from MODE="664", GROUP="plugdev" to MODE="660", GROUP="plugdev", TAG+="uaccess" The commit log (partially) reads: | Modern desktop systems with systemd recommend this way to give users | access to devices. We change permissions to sane value along the way. The change allows access to the devices by users which have physical access to the machine, while it prevents remote users from accessing the device. The Debian note reads: | Adding the uaccess tag to udev rules | | | Packages containing udev rules that use GROUP="plugdev" should also add | TAG+="uaccess" so that all users that are physically present can access | the relevant devices, instead of just users in the plugdev group | (GROUP="plugdev"). Some packages use MODE="666" to allow all users | (including remote users) to access devices. For almost all devices it is | probably more appropriate to switch from MODE="666" to GROUP="plugdev", | MODE="660", TAG+="uaccess" so that remote users cannot access local | devices. Check the wiki page for USB gadgets[13] for more hints. | There is a lintian warning in progress[14] for these issues. | | -- Paul Wise & Petter Reinholdtsen | | [13] https://wiki.debian.org/USB/GadgetSetup | [14] https://bugs.debian.org/841670 This is a web document with the actual commit that I could find, for those who don't have a local OpenOCD repo at hand: https://sourceforge.net/p/openocd/mailman/message/35569241/ (sorry for the evil formatting). Is a similar change desirable for the libsigrok component? virtually yours Gerhard Sittig -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ sigrok-devel mailing list sigrok-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sigrok-devel