Package: dfu-util
Version: 0.9-1
Tags: patch
Severity: important
When installing Debian, the initial user was traditionally made a member
of the plugdev group, and this granted access to local hardware dongles
when this user is logged in. This approach causes problems for users
originating from directory services like LDAP and Active Directory, as
such plugdev membership can not be granted globally. The plugdev
membership can be assigned during login (using pam_group), but still
this approach is problematic because left behind processes keep the
group membership even when the user is no longer logged in on the
machine, allowing background processes to get access to other peoples
hardware.
There is an alternative to group membership for device access, using
file system ACLs, and with systemd this is the recommended default
according to the systemd maintainers. To enable it for a given device,
the 'access' tag can be set.
Please do so for the dfu-util udev rule, to allow the device to work for
any console user, not only the one created during installation. Here is
a patch, to store for example as
debian/patches/udev-console-access.patch:
Description: Use ACLs to provide device access to console user
Author: Petter Reinholdtsen
Forwarded: no
Reviewed-By:
Last-Update: 2016-10-11
--- dfu-util-0.9.orig/doc/40-dfuse.rules
+++ dfu-util-0.9/doc/40-dfuse.rules
@@ -1,4 +1,5 @@
# Example udev rules (usually placed in /etc/udev/rules.d)
# Makes STM32 DfuSe device writeable for the "plugdev" group
+# and console users
-ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="0483",
ATTRS{idProduct}=="df11", MODE="664", GROUP="plugdev"
+ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="0483",
ATTRS{idProduct}=="df11", MODE="664", GROUP="plugdev", TAG+="uaccess"
I suspect the plugdev/mode part can be removed, but did not suggest to
do so at this time because I am unsure how it affect non-systemd users.
--
Happy hacking
Petter Reinholdtsen
