video* permissions

Mark Kettenis Tue, 29 Dec 2020 14:10:37 -0800

> Date: Tue, 29 Dec 2020 15:24:58 +0100
> From: Marcus Glocker <mar...@nazgul.ch>
> 
> Now that we have a switch in place with kern.video.record which requires
> initial root access to enable video recording, I want propose the idea
> of making the /dev/video* devices accessible to users who are a member
> of the 'video' group:
> 
>       lrwxr-xr-x  1 root  wheel         6 Dec 29 12:38 video -> video0
>       crw-rw----  1 root  video   44,   0 Dec 29 12:38 video0
>       crw-rw----  1 root  video   44,   1 Dec 29 12:38 video1
> 
> With this we would enable a default setup which avoids running
> video programs as root, or pushing people to manually tweak the
> /dev/video* permissions.
> 
> In this diff I'm re-using group id 6, which was the first free one
> found.  I'm not sure if this is the right approach.
> 
> What do you think?


How useful is this really?  In the context of laptop cameras, this
does allow users in that group to spy on eachother.  So here using
fbtab(5) and /etc/X11/xdm/{Give|Take}Console to chown the device might
make more sense.

There might be other contexts where your group-based approach might
make more sense.  But this might interfere with login_fbtab(3).  What
did you have in mind?


> Index: etc/group
> ===================================================================
> RCS file: /cvs/src/etc/group,v
> retrieving revision 1.94
> diff -u -p -u -p -r1.94 group
> --- etc/group 28 Jan 2020 16:51:03 -0000      1.94
> +++ etc/group 29 Dec 2020 11:40:07 -0000
> @@ -4,6 +4,7 @@ kmem:*:2:root
>  sys:*:3:root
>  tty:*:4:root
>  operator:*:5:root
> +video:*:6:
>  bin:*:7:
>  wsrc:*:9:
>  users:*:10:
> Index: etc/MAKEDEV.common
> ===================================================================
> RCS file: /cvs/src/etc/MAKEDEV.common,v
> retrieving revision 1.111
> diff -u -p -u -p -r1.111 MAKEDEV.common
> --- etc/MAKEDEV.common        6 Jul 2020 06:11:26 -0000       1.111
> +++ etc/MAKEDEV.common        29 Dec 2020 11:40:07 -0000
> @@ -428,7 +428,7 @@ __devitem(au, audio*, Audio devices,audi
>  _mkdev(au, audio*, {-M audio$U       c major_au_c $U 660 _sndiop
>       M audioctl$U    c major_au_c Add($U, 192) 660 _sndiop-})dnl
>  __devitem(vi, video*, Video V4L2 devices,video)dnl
> -_mkdev(vi, video*, {-M video$U  c major_vi_c $U 600
> +_mkdev(vi, video*, {-M video$U  c major_vi_c $U 660 video
>       MKlist[${#MKlist[*]}]=";[ -e video ] || ln -s video$U
> video"-})dnl __devitem(asc, asc*, ASC Audio device)dnl
>  _mkdev(asc, asc*, {-M asc$U major_asc_c 0-})dnl
> 
>

Re: /dev/video* permissions

Reply via email to