From owner-freebsd-questions@FreeBSD.ORG  Thu Aug 20 22:28:11 2009
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id BB91F106568B
	for <freebsd-questions@freebsd.org>;
	Thu, 20 Aug 2009 22:28:11 +0000 (UTC) (envelope-from ml@infosec.pl)
Received: from v027580.home.net.pl (v027580.home.net.pl [89.161.156.148])
	by mx1.freebsd.org (Postfix) with SMTP id 11AB48FC57
	for <freebsd-questions@freebsd.org>;
	Thu, 20 Aug 2009 22:28:10 +0000 (UTC)
Received: from localhost (HELO ?192.168.1.66?) (ml.freeside@home@127.0.0.1)
	by m094.home.net.pl with SMTP; Thu, 20 Aug 2009 22:28:16 -0000
Message-ID: <4A8DDBDE.10409@infosec.pl>
Date: Thu, 20 Aug 2009 23:27:26 +0000
From: Michal <ml@infosec.pl>
User-Agent: Thunderbird 2.0.0.22 (X11/20090729)
MIME-Version: 1.0
To: Roland Smith <rsmith@xs4all.nl>
References: <4A8DA9FD.6080904@infosec.pl>
	<20090820213722.GB3586@slackbox.xs4all.nl>
In-Reply-To: <20090820213722.GB3586@slackbox.xs4all.nl>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Cc: freebsd-questions@freebsd.org
Subject: Re: digital camera and devd
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Aug 2009 22:28:11 -0000

Roland Smith wrote:
> 
> I'm not exactly sure what you are trying to achieve here. But here is my
> €0,02:
> 
> Create a group called 'usb'. Make every user that you want to be able to use
> usb devices a member of this group. Next, add the following rules to your
> active ruleset in /etc/devfs.rules:
> 
> add path 'da*' mode 0660 group usb
> add path 'msdosfs/*' mode 0660 group usb
> add path 'uscanner*' mode 0660 group usb
> add path 'usb*' mode 0660 group usb
> add path 'ugen*' mode 0660 group usb
> 

And that is pretty much what I'm doing with two differences:
1. I'm using user name instead of designated group.
2. Following principle of least privilege I don't want to give him 
(which just happens to be myself) rights to anything other than my 
digital camera. Only this specific camera should trigger changes in 
ownership/rights of camera-related device nodes.

I know it looks a bit anal at first glance but it is not ;)
Michal
-- 
"Let him who desires peace prepare for war." -Flavius Vegetius Renatus