From owner-freebsd-stable@FreeBSD.ORG Sun Nov 20 16:37:40 2005 Return-Path: X-Original-To: stable@freebsd.org Delivered-To: freebsd-stable@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 04A3116A41F for ; Sun, 20 Nov 2005 16:37:40 +0000 (GMT) (envelope-from hk@alogis.com) Received: from alogis.com (firewall.solit-ag.de [212.184.102.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5B3CE43D49 for ; Sun, 20 Nov 2005 16:37:38 +0000 (GMT) (envelope-from hk@alogis.com) Received: from alogis.com (localhost [127.0.0.1]) by alogis.com (8.13.1/8.13.1) with ESMTP id jAKGbaFc039708; Sun, 20 Nov 2005 17:37:36 +0100 (CET) (envelope-from hk@alogis.com) Received: (from hk@localhost) by alogis.com (8.13.1/8.13.1/Submit) id jAKGba9w039707; Sun, 20 Nov 2005 17:37:36 +0100 (CET) (envelope-from hk) Date: Sun, 20 Nov 2005 17:37:36 +0100 From: Holger Kipp To: Roland Smith Message-ID: <20051120163736.GA39037@intserv.int1.b.intern> References: <20051120131624.GB35164@intserv.int1.b.intern> <20051120140422.GA26681@slackbox.xs4all.nl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20051120140422.GA26681@slackbox.xs4all.nl> User-Agent: Mutt/1.4.2.1i Cc: stable@freebsd.org Subject: Re: FBSD-6 usb/scanner-access-rights X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Nov 2005 16:37:40 -0000 Dear Roland, thank you very much for your answer. On Sun, Nov 20, 2005 at 03:04:22PM +0100, Roland Smith wrote: > On Sun, Nov 20, 2005 at 02:16:24PM +0100, Holger Kipp wrote: > > > > Is there an easy way to name the devices a user might > > be allowed to access rw, without compromising the system? > > I don't want to give operator group to these users, > > and I don't want to blindly allow access to some > > da- or pass-devices where I cannot determine the order > > of numbering easily. > > One thing you could do is make the groups usb and cdrom and make them > the groups owning the relevant devices, e.g. by putting the following in > /etc/devfs.rules: > > add path 'da*s*' mode 0660 group usb > add path 'uscanner*' mode 0660 group usb ah, I had the entry "add path 'uscanner*' mode 0660 group usb" missing in the devfs.rules-file but this still does not help... uscanner0 is here: uscanner0: EPSON EPSON Scanner, rev 1.10/1.00, addr 2 sane-find-scanner has the following to say: found USB scanner (UNKNOWN vendor and product) at device /dev/uscanner0 only if I also issue # chown root:usb /dev/usb0 # chown root:usb /dev/usb1 # chown root:usb /dev/usb2 it will return found USB scanner (vendor=0x04b8, product=0x011d) at /dev/uscanner0 this is not good either, because attaching the scanner to a different device means I have to change this for all /dev/usb*, effectively allowing read/write to all usb devices. I wonder why I have to allow access to all devices from 0 to 2. Attaching to a different hub(*): uscanner0: at uhub2 port 2 (addr 2) disconnected uscanner0: detached uscanner0: EPSON EPSON Scanner, rev 1.10/1.00, addr 2 -> I also have to chgrp usb /dev/usb3 so all /dev/usb up to the corresponding /dev/usb where the scanner is attached are needed. Strange! (*) detaching gives: uscanner0: at uhub3 port 1 (addr 2) disconnected uscanner0: detached > The ownership for the CD-ROM devices should be set in /etc/devfs.conf: > > # Give members of group cdrom access to the CD/DVD-ROM and DVD+RW via the > # SCSI interface > own xpt0 root:cdrom > perm xpt0 0660 > > own cd0 root:cdrom > perm cd0 0660 > link cd0 cdrom > link cd0 dvd > > own pass0 root:cdrom > perm pass0 0660 > > own cd1 root:cdrom > perm cd1 0660 > > own pass1 root:cdrom > perm pass1 0660 > > The user that must be able to use the CD-ROMs and scanner must be a > member of the appropriate group. > Yes, but there is a problem with numbering of pass-devices: with card-reader attached during boot, I have: at scbus0 target 0 lun 0 (da0,pass0) at scbus0 target 0 lun 1 (da1,pass1) at scbus0 target 0 lun 2 (da2,pass2) at scbus0 target 0 lun 3 (da3,pass3) at scbus2 target 0 lun 0 (pass4,cd0) at scbus2 target 1 lun 0 (pass5,cd1) attaching card-reader afterwards gives different numbering: after boot: katrin# camcontrol devlist at scbus1 target 0 lun 0 (cd1,pass1) at scbus1 target 1 lun 0 (cd0,pass0) after attaching cardreader: katrin# camcontrol devlist at scbus1 target 0 lun 0 (cd1,pass1) at scbus1 target 1 lun 0 (cd0,pass0) at scbus4 target 0 lun 0 (da0,pass2) at scbus4 target 0 lun 1 (da1,pass3) at scbus4 target 0 lun 2 (da2,pass4) at scbus4 target 0 lun 3 (da3,pass5) so allowing access to cd0/cd1 and corresponding pass0 and pass1 will break if computer is booted with usb-cardreader attached. not good. And: allowing specific users access to xpt might also not be a very good idea according to the man-page: Since the xpt driver allows direct access to the CAM subsystem, system administrators should exercise caution when granting access to this driver. If used improperly, this driver can allow userland applications to crash a machine or cause data loss. > If that is not fine-grained enough, maybe ACLs might help. See setfacl(1). so we currently have: - rights needed not only for the device itself, but also for the bus and or control devices (pass, usb, xpt0) - dynamic numbering (pass). I agree that usb is a nightmare and should never have happened. Regards, Holger Kipp