Re: FBSD-6 usb/scanner-access-rights

From: Roland Smith (rsmith_at_xs4all.nl)
Date: 11/20/05

  • Next message: Niki Denev: "inconsistent arp(8) mac address output using if_bridge" 
    Date: Sun, 20 Nov 2005 18:47:54 +0100
To: Holger Kipp <hk@alogis.com>

    On Sun, Nov 20, 2005 at 05:37:36PM +0100, Holger Kipp wrote:
    > Dear Roland,
    >
    > thank you very much for your answer.
    >
    > On Sun, Nov 20, 2005 at 03:04:22PM +0100, Roland Smith wrote:
    > > On Sun, Nov 20, 2005 at 02:16:24PM +0100, Holger Kipp wrote:
    > > >
    > > > Is there an easy way to name the devices a user might
    > > > be allowed to access rw, without compromising the system?
    > > > I don't want to give operator group to these users,
    > > > and I don't want to blindly allow access to some
    > > > da- or pass-devices where I cannot determine the order
    > > > of numbering easily.
    > >
    > > One thing you could do is make the groups usb and cdrom and make them
    > > the groups owning the relevant devices, e.g. by putting the following in
    > > /etc/devfs.rules:
    > >
    > > add path 'da*s*' mode 0660 group usb
    > > add path 'uscanner*' mode 0660 group usb
    >
    > ah, I had the entry
    > "add path 'uscanner*' mode 0660 group usb"
    > missing in the devfs.rules-file
    > but this still does not help...
    >
    > uscanner0 is here:
    >
    > uscanner0: EPSON EPSON Scanner, rev 1.10/1.00, addr 2
    >
    >
    > sane-find-scanner has the following to say:
    > found USB scanner (UNKNOWN vendor and product) at device /dev/uscanner0

    Doesn't matter that you get "UNKNOWN". It _will_ work with sane without
    access to /dev/usb*. It does here.

    <snip>
    > Yes, but there is a problem with numbering of pass-devices:
    >
    > with card-reader attached during boot, I have:
    > <SMSC 223 U HS-CF 1.95> at scbus0 target 0 lun 0 (da0,pass0)
    > <SMSC 223 U HS-MS 1.95> at scbus0 target 0 lun 1 (da1,pass1)
    > <SMSC 223 U HS-SM 1.95> at scbus0 target 0 lun 2 (da2,pass2)
    > <SMSC 223 U HS-SD/MMC 1.95> at scbus0 target 0 lun 3 (da3,pass3)
    > <HL-DT-ST DVDRAM GSA-4163B A102> at scbus2 target 0 lun 0 (pass4,cd0)
    > <HL-DT-ST RW/DVD GCC-4120B 2.01> at scbus2 target 1 lun 0 (pass5,cd1)
    >
    > attaching card-reader afterwards gives different numbering:
    > after boot:
    > katrin# camcontrol devlist
    > <HL-DT-ST DVDRAM GSA-4163B A102> at scbus1 target 0 lun 0 (cd1,pass1)
    > <HL-DT-ST RW/DVD GCC-4120B 2.01> at scbus1 target 1 lun 0 (cd0,pass0)
    > after attaching cardreader:
    > katrin# camcontrol devlist
    > <HL-DT-ST DVDRAM GSA-4163B A102> at scbus1 target 0 lun 0 (cd1,pass1)
    > <HL-DT-ST RW/DVD GCC-4120B 2.01> at scbus1 target 1 lun 0 (cd0,pass0)
    > <SMSC 223 U HS-CF 1.95> at scbus4 target 0 lun 0 (da0,pass2)
    > <SMSC 223 U HS-MS 1.95> at scbus4 target 0 lun 1 (da1,pass3)
    > <SMSC 223 U HS-SM 1.95> at scbus4 target 0 lun 2 (da2,pass4)
    > <SMSC 223 U HS-SD/MMC 1.95> at scbus4 target 0 lun 3 (da3,pass5)
    >
    > so allowing access to cd0/cd1 and corresponding pass0 and pass1 will
    > break if computer is booted with usb-cardreader attached. not good.

    It was an example. I don't have many usb devices, so it works for me. :-)

    > > If that is not fine-grained enough, maybe ACLs might help. See setfacl(1).
    >
    > so we currently have:
    >
    > - rights needed not only for the device itself, but also for the bus
    > and or control devices (pass<x>, usb<x>, xpt0)

    Yes, but ACL give fine-grained access control. And no matter how you
    look at it, you _have_ to trust the person whom you give access to the
    pass devices. It's in the FreeBSD architecture.

    > - dynamic numbering (pass<x>).
    >
    > I agree that usb is a nightmare and should never have happened.

    :-)

    For disc devices, you could use GEOM_LABEL. That'll give you consistent
    /dev/label/ names.

    Roland 

    -- 
R.F.Smith (http://www.xs4all.nl/~rsmith/) Please send e-mail as plain text.
public key: http://www.xs4all.nl/~rsmith/pubkey.txt

    • application/pgp-signature attachment: stored
  • Next message: Niki Denev: "inconsistent arp(8) mac address output using if_bridge"

    Relevant Pages

    • Re: I want a guitar synth for my grandpappy
      ... Godin) don't have USB out - they have a proprietary 13-pin jack, ... protocol defined by Roland. ... The same box has MIDI outs, that you can use to connect with the MIDI ... AhHa ok Joey I see but I do use Reason v3 and Cubase SX3 (I have ...
      (rec.music.makers.guitar.jazz)
    • Re: I want a guitar synth for my grandpappy
      ... Godin) don't have USB out - they have a proprietary 13-pin jack, ... protocol defined by Roland. ... I don't know if it's analog or digital ... The same box has MIDI outs, that you can use to connect with the MIDI ...
      (rec.music.makers.guitar.jazz)
    • Re: Talking to USB
      ... I have a list of low level commands which I wish to send to the ... > scanner directly because they go beyond TWAIN capabilities. ... > I'm beginning to realize that USB is not as simple as I thought but I ... >>Greetings, Roland ...
      (microsoft.public.dotnet.languages.vb.controls)
    • Re: USB sound adapter
      ... > the usb alsa linux driver, ... Roland wrote the USB MIDI specification, ... help with the Linux driver. ...
      (comp.os.linux.hardware)
    • Re: Suse 9.1 no swap file being used
      ... PCI Interrupt Link enabled at IRQ 11 ... usbcore: registered new driver hub ... usb usb1: Product: OHCI Host Controller ... cdrom: open failed. ...
      (alt.os.linux)