Bug#440760: debian-reference-en: Explain groups, and permission to access devices, early
On Fri, Sep 07, 2007 at 09:42:11PM -0500, Karl O. Pinc wrote: On 09/07/2007 11:41:02 AM, Osamu Aoki wrote: On Tue, Sep 04, 2007 at 10:13:40AM -0500, Karl O. Pinc wrote: On 09/04/2007 07:59:47 AM, Osamu Aoki wrote: I didn't want to expand this section to re-create the definitive list, but I also think it could be useful to list the 'scanner' group and the 'plugdev' group. (Because those are the ones I've struggled with in the past. :) But gnome and xfce do not use plugdev (pmount). I am unclear on what's used when. (I recently switched from gnome to kde, so am now using kde.) All I can say is that when I plugged in my usb camera (which requires a special wire protocol, it does not mount as a filesystem) it came up with plugdev as the group allowed to read and write it. (Kde also did some odd things popping up a dialog box. I was unable to figure out how to get it to launch, for example, gtkam. I poked it with a stick for a while and gave up.) I'm not sure what kde is really doing that I want and don't know I'll stick with it. I am unclear too :-) I use Gnome. KDE seems to use pmount as underlayer for mounting devices from desktop while gtk and xfce seems to have their own tools. [EMAIL PROTECTED]:~$ man -k mount (and manual cherry picks) drivemount_applet (1) - Drive Mount Applet for the GNOME panel. exo-mount (1)- mount volumes based on their HAL UDIs or their device files exo-unmount (1) - umount volumes based on their HAL UDIs or their device files gnome-eject (1) - Mount drives and volumes using HAL and read settings from the GNOME desktop configuration system gconf. gnome-mount (1) - Mount drives and volumes using HAL and read settings from the GNOME desktop configuration system gconf. gnome-umount (1) - Mount drives and volumes using HAL and read settings from the GNOME desktop configuration system gconf. gnome-volume-manager (1) - GNOME daemon to auto-mount and manage media devices pmount (1) - mount arbitrary hotpluggable devices as normal user pmount-hal (1) - HAL-aware wrapper around pmount pumount (1) - umount arbitrary hotpluggable devices as normal user KDE has dependency to pmount as I see. But if this is for devices, floppy etc may serve better as example. I'm not sure what you mean, but that's ok. Second thought. CDROM these days. I chose the audio group because you already had text for the adm group, which grants read access, and I wanted something that would grant write access (and have to do with devices rather than files.) What do you think my rewrite? http://wiki.debian.org/DRBasics#head-8c8218c777b29b3179dd99503f0a019f55ebca0a As written: When some filesystem access is only available from the super user (root), this is a good indication that access permission of some file (including device) is set to deny access by the user account used. This situation may be removed by adding the pertinent user to the pertinent group and setting proper group access permission to the file. Revised: When some filesystem access is only available to the super user (root), this is a good indication that access permission of the file (or device) is set to deny access to the user account. This situation may be removed by adding the pertinent user to the pertinent group and setting proper group access permission to the file. (It's still not so good. E.g. The first sentence seems to say only if only root can use it then regular user's can't. which is a tautology.) I think this part needs to go in The root account section and taken out of the group section. I say this because that's where the reader needs to perk up and remember hey, this is what the root account's good for. If I want to do any of these things I'd better be root. It's easier for the reader if the whole list is in one place. I think this is true, even though it'd be nice to remind the reader throughout the document where ever root permissions are required, because generally the new user won't know which part of the document has the relevant concept when, for example, he does not have permission. But he should be able to remember that root _always_ has permission and so should be able to rely on the part of the document that explains the root concept to refer him to the concepts in the other parts of the document. Re-revised (for after the bullet points): Some files (and most devices -- hardware devices are just another kind of file) can not be used by non-root users without the root user's permission. As explained below, permission is granted via membership to the relevant link to groups sectiongroup/link. Very good points. But injecting group thing too much in early root section may skew the flow of text. I have made rewrite of the many related sections. I hope this is better. http://wiki.debian.org/DRBasics (If you have some more thought, please edit this wiki.
Bug#440760: debian-reference-en: Explain groups, and permission to access devices, early
On Tue, Sep 04, 2007 at 10:13:40AM -0500, Karl O. Pinc wrote: On 09/04/2007 07:59:47 AM, Osamu Aoki wrote: Thanks for your interest. You're welcome. I've a couple of other patches submitted as wishlist bugs too. They might have been stopped by my mail gateway. I see them on BTS. Thanks. On Mon, Sep 03, 2007 at 11:32:05PM -0500, Karl O. Pinc wrote: Package: debian-reference-en Version: CVS HEAD -sect1Purposes of standard groups +sect1 id=standard-groupsPurposes of standard groups Yah, standard group is good to mention. I didn't want to expand this section to re-create the definitive list, but I also think it could be useful to list the 'scanner' group and the 'plugdev' group. (Because those are the ones I've struggled with in the past. :) But gnome and xfce do not use plugdev (pmount). But if this is for devices, floppy etc may serve better as example. I'm not sure what you mean, but that's ok. I chose the audio group because you already had text for the adm group, which grants read access, and I wanted something that would grant write access (and have to do with devices rather than files.) What do you think my rewrite? http://wiki.debian.org/DRBasics#head-8c8218c777b29b3179dd99503f0a019f55ebca0a I may need to comment on how gnome mount device as user to the desktop. or http://wiki.debian.org/DebianReference Osamu -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#440760: debian-reference-en: Explain groups, and permission to access devices, early
On 09/07/2007 11:41:02 AM, Osamu Aoki wrote: On Tue, Sep 04, 2007 at 10:13:40AM -0500, Karl O. Pinc wrote: On 09/04/2007 07:59:47 AM, Osamu Aoki wrote: I didn't want to expand this section to re-create the definitive list, but I also think it could be useful to list the 'scanner' group and the 'plugdev' group. (Because those are the ones I've struggled with in the past. :) But gnome and xfce do not use plugdev (pmount). I am unclear on what's used when. (I recently switched from gnome to kde, so am now using kde.) All I can say is that when I plugged in my usb camera (which requires a special wire protocol, it does not mount as a filesystem) it came up with plugdev as the group allowed to read and write it. (Kde also did some odd things popping up a dialog box. I was unable to figure out how to get it to launch, for example, gtkam. I poked it with a stick for a while and gave up.) I'm not sure what kde is really doing that I want and don't know I'll stick with it. But if this is for devices, floppy etc may serve better as example. I'm not sure what you mean, but that's ok. I chose the audio group because you already had text for the adm group, which grants read access, and I wanted something that would grant write access (and have to do with devices rather than files.) What do you think my rewrite? http://wiki.debian.org/DRBasics#head-8c8218c777b29b3179dd99503f0a019f55ebca0a As written: When some filesystem access is only available from the super user (root), this is a good indication that access permission of some file (including device) is set to deny access by the user account used. This situation may be removed by adding the pertinent user to the pertinent group and setting proper group access permission to the file. Revised: When some filesystem access is only available to the super user (root), this is a good indication that access permission of the file (or device) is set to deny access to the user account. This situation may be removed by adding the pertinent user to the pertinent group and setting proper group access permission to the file. (It's still not so good. E.g. The first sentence seems to say only if only root can use it then regular user's can't. which is a tautology.) I think this part needs to go in The root account section and taken out of the group section. I say this because that's where the reader needs to perk up and remember hey, this is what the root account's good for. If I want to do any of these things I'd better be root. It's easier for the reader if the whole list is in one place. I think this is true, even though it'd be nice to remind the reader throughout the document where ever root permissions are required, because generally the new user won't know which part of the document has the relevant concept when, for example, he does not have permission. But he should be able to remember that root _always_ has permission and so should be able to rely on the part of the document that explains the root concept to refer him to the concepts in the other parts of the document. Re-revised (for after the bullet points): Some files (and most devices -- hardware devices are just another kind of file) can not be used by non-root users without the root user's permission. As explained below, permission is granted via membership to the relevant link to groups sectiongroup/link. I may need to comment on how gnome mount device as user to the desktop. or http://wiki.debian.org/DebianReference Osamu Karl [EMAIL PROTECTED] Free Software: You don't pay back, you pay forward. -- Robert A. Heinlein
Bug#440760: debian-reference-en: Explain groups, and permission to access devices, early
Hi, Thanks for your interest. On Mon, Sep 03, 2007 at 11:32:05PM -0500, Karl O. Pinc wrote: Package: debian-reference-en Version: CVS HEAD Severity: wishlist Tags: patch There's a regular problem on irc with newbies who've not got permission to access various hardware devices. The reference manual should get this out of the way early, and explain groups and that it's the job of the root user to grant permission to various hardware devices etc. This has bearing on bug #403755. Apply patch with: cd qref/en ; patch -p1 group.patch Note that I used the long option names. I don't know if that's in line with the manual's regular style. -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-5-686 Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) diff -ruN en.old/tune.sgml en/tune.sgml --- en.old/tune.sgml 2007-01-18 16:31:58.0 -0600 +++ en/tune.sgml 2007-09-03 21:51:12.0 -0500 @@ -208,7 +208,7 @@ auth sufficient pam_wheel.so trust group=adm /example -sect1Purposes of standard groups +sect1 id=standard-groupsPurposes of standard groups Yah, standard group is good to mention. But if this is for devices, floppy etc may serve better as example. p A few interesting groups: list compact diff -ruN en.old/tutorial.sgml en/tutorial.sgml --- en.old/tutorial.sgml 2006-01-22 02:33:11.0 -0600 +++ en/tutorial.sgml 2007-09-03 23:27:33.0 -0500 @@ -66,6 +66,7 @@ itemset file ownership and permission of any files on the system itemset the password of any non-privileged users on the system itemlogin to any accounts without their passwords +itemallow ordinary accounts to access hardware devices: audio speakers, floppy drives, cd drives, scanners, etc. /list p It is extremely bad idea to share the access to the root account by @@ -124,16 +125,33 @@ ... answer all the questions /example will create it. -footnote -You may want to add this user ttvarpenguin/var/tt to the -ttadm/tt group to enable read access to the many logfiles in -file/var/log//file. See manref name=passwd section=5, manref -name=group section=5, manref name=shadow section=5, manref -name=group section=5, manref name=vipw section=8, and manref -name=vigr section=8. For the official meanings of users and + +sect1 id=granting-accessGranting access to privileged hardware and data +p +You may (or may not) want to grant the ttvarpenguin/var/tt user +read access to the many logfiles in +the file/var/log//file directory, or may (or may not) want to enable +write access to attached speakers so that the user can listen to music. +p +To ease administration and allow many people to share the same set of +access rights, the necessary permissions have already been granted to +what are known as stronggroups/strong. The ttadm/tt group is allowed +read access to various administrative files, and the ttaudio/tt +group is allowed write access to the various hardware components which +drive the speakers. All that remains is to put the ttvarpenguin/var/tt +user into both groups. I see. +example +root@varfoo/var:root# usermod --append --groups adm,audio penguin +/example +p +See ref id=standard-groups, or for the official meanings of users and groups, see a recent version of the url id=f-users-and-groups; name=Users and Groups document. -/footnote +See also manref name=passwd section=5, manref +name=group section=5, manref name=shadow section=5, manref +name=group section=5, manref name=vipw section=8, and manref +name=vigr section=8. +p Before going further, let's learn few things first. sect1 id=sw-consoleSwitch between virtual console -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#440760: debian-reference-en: Explain groups, and permission to access devices, early
On 09/04/2007 07:59:47 AM, Osamu Aoki wrote: Thanks for your interest. You're welcome. I've a couple of other patches submitted as wishlist bugs too. On Mon, Sep 03, 2007 at 11:32:05PM -0500, Karl O. Pinc wrote: Package: debian-reference-en Version: CVS HEAD -sect1Purposes of standard groups +sect1 id=standard-groupsPurposes of standard groups Yah, standard group is good to mention. I didn't want to expand this section to re-create the definitive list, but I also think it could be useful to list the 'scanner' group and the 'plugdev' group. (Because those are the ones I've struggled with in the past. :) But if this is for devices, floppy etc may serve better as example. I'm not sure what you mean, but that's ok. I chose the audio group because you already had text for the adm group, which grants read access, and I wanted something that would grant write access (and have to do with devices rather than files.) Karl [EMAIL PROTECTED] Free Software: You don't pay back, you pay forward. -- Robert A. Heinlein
Bug#440760: debian-reference-en: Explain groups, and permission to access devices, early
Package: debian-reference-en Version: CVS HEAD Severity: wishlist Tags: patch There's a regular problem on irc with newbies who've not got permission to access various hardware devices. The reference manual should get this out of the way early, and explain groups and that it's the job of the root user to grant permission to various hardware devices etc. This has bearing on bug #403755. Apply patch with: cd qref/en ; patch -p1 group.patch Note that I used the long option names. I don't know if that's in line with the manual's regular style. -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-5-686 Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) diff -ruN en.old/tune.sgml en/tune.sgml --- en.old/tune.sgml2007-01-18 16:31:58.0 -0600 +++ en/tune.sgml2007-09-03 21:51:12.0 -0500 @@ -208,7 +208,7 @@ auth sufficient pam_wheel.so trust group=adm /example -sect1Purposes of standard groups +sect1 id=standard-groupsPurposes of standard groups p A few interesting groups: list compact diff -ruN en.old/tutorial.sgml en/tutorial.sgml --- en.old/tutorial.sgml2006-01-22 02:33:11.0 -0600 +++ en/tutorial.sgml2007-09-03 23:27:33.0 -0500 @@ -66,6 +66,7 @@ itemset file ownership and permission of any files on the system itemset the password of any non-privileged users on the system itemlogin to any accounts without their passwords +itemallow ordinary accounts to access hardware devices: audio speakers, floppy drives, cd drives, scanners, etc. /list p It is extremely bad idea to share the access to the root account by @@ -124,16 +125,33 @@ ... answer all the questions /example will create it. -footnote -You may want to add this user ttvarpenguin/var/tt to the -ttadm/tt group to enable read access to the many logfiles in -file/var/log//file. See manref name=passwd section=5, manref -name=group section=5, manref name=shadow section=5, manref -name=group section=5, manref name=vipw section=8, and manref -name=vigr section=8. For the official meanings of users and + +sect1 id=granting-accessGranting access to privileged hardware and data +p +You may (or may not) want to grant the ttvarpenguin/var/tt user +read access to the many logfiles in +the file/var/log//file directory, or may (or may not) want to enable +write access to attached speakers so that the user can listen to music. +p +To ease administration and allow many people to share the same set of +access rights, the necessary permissions have already been granted to +what are known as stronggroups/strong. The ttadm/tt group is allowed +read access to various administrative files, and the ttaudio/tt +group is allowed write access to the various hardware components which +drive the speakers. All that remains is to put the ttvarpenguin/var/tt +user into both groups. +example +root@varfoo/var:root# usermod --append --groups adm,audio penguin +/example +p +See ref id=standard-groups, or for the official meanings of users and groups, see a recent version of the url id=f-users-and-groups; name=Users and Groups document. -/footnote +See also manref name=passwd section=5, manref +name=group section=5, manref name=shadow section=5, manref +name=group section=5, manref name=vipw section=8, and manref +name=vigr section=8. +p Before going further, let's learn few things first. sect1 id=sw-consoleSwitch between virtual console