FBSD-6 usb/scanner-access-rights
Hello, I am slightly unsatisfied with user rights management, especially with usb-devices, but also with access to cd/dvd-burners for the following reason: I'd like to be able to allow access to burners that are accessed as scsi-devices (via atapicam) for some users, but for that to work it is not sufficient to allow access via cd0/cd1, but I also have to allow the corresponding passx-devices. For usb-scanner it is even worse. If I allow access to uscanner0, this does not work unless I also allow the corresponding /dev/usbx-device. umassx is also accessed as dax-device and also therefore needs some da-devices to be allowed rw-access for 'ordinary' users. I don't relly like to allow direct access to the related devices (dax, passy - especially if the system is using scsi-disks). Is there an easy way to name the devices a user might be allowed to access rw, without compromising the system? I don't want to give operator group to these users, and I don't want to blindly allow access to some da- or pass-devices where I cannot determine the order of numbering easily. I hope this does not sound ignorant. Pointers to helpful information are also welcome :-) Regards, Holger Kipp ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FBSD-6 usb/scanner-access-rights
On Sun, Nov 20, 2005 at 02:16:24PM +0100, Holger Kipp wrote: Is there an easy way to name the devices a user might be allowed to access rw, without compromising the system? I don't want to give operator group to these users, and I don't want to blindly allow access to some da- or pass-devices where I cannot determine the order of numbering easily. One thing you could do is make the groups usb and cdrom and make them the groups owning the relevant devices, e.g. by putting the following in /etc/devfs.rules: add path 'da*s*' mode 0660 group usb add path 'uscanner*' mode 0660 group usb The ownership for the CD-ROM devices should be set in /etc/devfs.conf: # Give members of group cdrom access to the CD/DVD-ROM and DVD+RW via the # SCSI interface own xpt0root:cdrom permxpt00660 own cd0 root:cdrom permcd0 0660 linkcd0 cdrom linkcd0 dvd own pass0 root:cdrom permpass0 0660 own cd1 root:cdrom permcd1 0660 own pass1 root:cdrom permpass1 0660 The user that must be able to use the CD-ROMs and scanner must be a member of the appropriate group. If that is not fine-grained enough, maybe ACLs might help. See setfacl(1). Roland -- R.F.Smith (http://www.xs4all.nl/~rsmith/) Please send e-mail as plain text. public key: http://www.xs4all.nl/~rsmith/pubkey.txt pgpx5NlZ2BPe3.pgp Description: PGP signature
Re: FBSD-6 usb/scanner-access-rights
Dear Roland, thank you very much for your answer. On Sun, Nov 20, 2005 at 03:04:22PM +0100, Roland Smith wrote: On Sun, Nov 20, 2005 at 02:16:24PM +0100, Holger Kipp wrote: Is there an easy way to name the devices a user might be allowed to access rw, without compromising the system? I don't want to give operator group to these users, and I don't want to blindly allow access to some da- or pass-devices where I cannot determine the order of numbering easily. One thing you could do is make the groups usb and cdrom and make them the groups owning the relevant devices, e.g. by putting the following in /etc/devfs.rules: add path 'da*s*' mode 0660 group usb add path 'uscanner*' mode 0660 group usb ah, I had the entry add path 'uscanner*' mode 0660 group usb missing in the devfs.rules-file but this still does not help... uscanner0 is here: uscanner0: EPSON EPSON Scanner, rev 1.10/1.00, addr 2 sane-find-scanner has the following to say: found USB scanner (UNKNOWN vendor and product) at device /dev/uscanner0 only if I also issue # chown root:usb /dev/usb0 # chown root:usb /dev/usb1 # chown root:usb /dev/usb2 it will return found USB scanner (vendor=0x04b8, product=0x011d) at /dev/uscanner0 this is not good either, because attaching the scanner to a different device means I have to change this for all /dev/usb*, effectively allowing read/write to all usb devices. I wonder why I have to allow access to all devices from 0 to 2. Attaching to a different hub(*): uscanner0: at uhub2 port 2 (addr 2) disconnected uscanner0: detached uscanner0: EPSON EPSON Scanner, rev 1.10/1.00, addr 2 - I also have to chgrp usb /dev/usb3 so all /dev/usbx up to the corresponding /dev/usby where the scanner is attached are needed. Strange! (*) detaching gives: uscanner0: at uhub3 port 1 (addr 2) disconnected uscanner0: detached The ownership for the CD-ROM devices should be set in /etc/devfs.conf: # Give members of group cdrom access to the CD/DVD-ROM and DVD+RW via the # SCSI interface own xpt0root:cdrom permxpt00660 own cd0 root:cdrom permcd0 0660 linkcd0 cdrom linkcd0 dvd own pass0 root:cdrom permpass0 0660 own cd1 root:cdrom permcd1 0660 own pass1 root:cdrom permpass1 0660 The user that must be able to use the CD-ROMs and scanner must be a member of the appropriate group. Yes, but there is a problem with numbering of pass-devices: with card-reader attached during boot, I have: SMSC 223 U HS-CF 1.95at scbus0 target 0 lun 0 (da0,pass0) SMSC 223 U HS-MS 1.95at scbus0 target 0 lun 1 (da1,pass1) SMSC 223 U HS-SM 1.95at scbus0 target 0 lun 2 (da2,pass2) SMSC 223 U HS-SD/MMC 1.95at scbus0 target 0 lun 3 (da3,pass3) HL-DT-ST DVDRAM GSA-4163B A102 at scbus2 target 0 lun 0 (pass4,cd0) HL-DT-ST RW/DVD GCC-4120B 2.01 at scbus2 target 1 lun 0 (pass5,cd1) attaching card-reader afterwards gives different numbering: after boot: katrin# camcontrol devlist HL-DT-ST DVDRAM GSA-4163B A102 at scbus1 target 0 lun 0 (cd1,pass1) HL-DT-ST RW/DVD GCC-4120B 2.01 at scbus1 target 1 lun 0 (cd0,pass0) after attaching cardreader: katrin# camcontrol devlist HL-DT-ST DVDRAM GSA-4163B A102 at scbus1 target 0 lun 0 (cd1,pass1) HL-DT-ST RW/DVD GCC-4120B 2.01 at scbus1 target 1 lun 0 (cd0,pass0) SMSC 223 U HS-CF 1.95at scbus4 target 0 lun 0 (da0,pass2) SMSC 223 U HS-MS 1.95at scbus4 target 0 lun 1 (da1,pass3) SMSC 223 U HS-SM 1.95at scbus4 target 0 lun 2 (da2,pass4) SMSC 223 U HS-SD/MMC 1.95at scbus4 target 0 lun 3 (da3,pass5) so allowing access to cd0/cd1 and corresponding pass0 and pass1 will break if computer is booted with usb-cardreader attached. not good. And: allowing specific users access to xpt might also not be a very good idea according to the man-page: Since the xpt driver allows direct access to the CAM subsystem, system administrators should exercise caution when granting access to this driver. If used improperly, this driver can allow userland applications to crash a machine or cause data loss. If that is not fine-grained enough, maybe ACLs might help. See setfacl(1). so we currently have: - rights needed not only for the device itself, but also for the bus and or control devices (passx, usbx, xpt0) - dynamic numbering (passx). I agree that usb is a nightmare and should never have happened. Regards, Holger Kipp ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FBSD-6 usb/scanner-access-rights
On Sun, Nov 20, 2005 at 05:37:36PM +0100, Holger Kipp wrote: Dear Roland, thank you very much for your answer. On Sun, Nov 20, 2005 at 03:04:22PM +0100, Roland Smith wrote: On Sun, Nov 20, 2005 at 02:16:24PM +0100, Holger Kipp wrote: Is there an easy way to name the devices a user might be allowed to access rw, without compromising the system? I don't want to give operator group to these users, and I don't want to blindly allow access to some da- or pass-devices where I cannot determine the order of numbering easily. One thing you could do is make the groups usb and cdrom and make them the groups owning the relevant devices, e.g. by putting the following in /etc/devfs.rules: add path 'da*s*' mode 0660 group usb add path 'uscanner*' mode 0660 group usb ah, I had the entry add path 'uscanner*' mode 0660 group usb missing in the devfs.rules-file but this still does not help... uscanner0 is here: uscanner0: EPSON EPSON Scanner, rev 1.10/1.00, addr 2 sane-find-scanner has the following to say: found USB scanner (UNKNOWN vendor and product) at device /dev/uscanner0 Doesn't matter that you get UNKNOWN. It _will_ work with sane without access to /dev/usb*. It does here. snip Yes, but there is a problem with numbering of pass-devices: with card-reader attached during boot, I have: SMSC 223 U HS-CF 1.95at scbus0 target 0 lun 0 (da0,pass0) SMSC 223 U HS-MS 1.95at scbus0 target 0 lun 1 (da1,pass1) SMSC 223 U HS-SM 1.95at scbus0 target 0 lun 2 (da2,pass2) SMSC 223 U HS-SD/MMC 1.95at scbus0 target 0 lun 3 (da3,pass3) HL-DT-ST DVDRAM GSA-4163B A102 at scbus2 target 0 lun 0 (pass4,cd0) HL-DT-ST RW/DVD GCC-4120B 2.01 at scbus2 target 1 lun 0 (pass5,cd1) attaching card-reader afterwards gives different numbering: after boot: katrin# camcontrol devlist HL-DT-ST DVDRAM GSA-4163B A102 at scbus1 target 0 lun 0 (cd1,pass1) HL-DT-ST RW/DVD GCC-4120B 2.01 at scbus1 target 1 lun 0 (cd0,pass0) after attaching cardreader: katrin# camcontrol devlist HL-DT-ST DVDRAM GSA-4163B A102 at scbus1 target 0 lun 0 (cd1,pass1) HL-DT-ST RW/DVD GCC-4120B 2.01 at scbus1 target 1 lun 0 (cd0,pass0) SMSC 223 U HS-CF 1.95at scbus4 target 0 lun 0 (da0,pass2) SMSC 223 U HS-MS 1.95at scbus4 target 0 lun 1 (da1,pass3) SMSC 223 U HS-SM 1.95at scbus4 target 0 lun 2 (da2,pass4) SMSC 223 U HS-SD/MMC 1.95at scbus4 target 0 lun 3 (da3,pass5) so allowing access to cd0/cd1 and corresponding pass0 and pass1 will break if computer is booted with usb-cardreader attached. not good. It was an example. I don't have many usb devices, so it works for me. :-) If that is not fine-grained enough, maybe ACLs might help. See setfacl(1). so we currently have: - rights needed not only for the device itself, but also for the bus and or control devices (passx, usbx, xpt0) Yes, but ACL give fine-grained access control. And no matter how you look at it, you _have_ to trust the person whom you give access to the pass devices. It's in the FreeBSD architecture. - dynamic numbering (passx). I agree that usb is a nightmare and should never have happened. :-) For disc devices, you could use GEOM_LABEL. That'll give you consistent /dev/label/ names. Roland -- R.F.Smith (http://www.xs4all.nl/~rsmith/) Please send e-mail as plain text. public key: http://www.xs4all.nl/~rsmith/pubkey.txt pgpr0N6RwiSpt.pgp Description: PGP signature
Re: FBSD-6 usb/scanner-access-rights
On Sun, Nov 20, 2005 at 06:47:54PM +0100, Roland Smith wrote: On Sun, Nov 20, 2005 at 05:37:36PM +0100, Holger Kipp wrote: Dear Roland, Is there an easy way to name the devices a user might be allowed to access rw, without compromising the system? I don't want to give operator group to these users, and I don't want to blindly allow access to some da- or pass-devices where I cannot determine the order of numbering easily. ah, I had the entry add path 'uscanner*' mode 0660 group usb missing in the devfs.rules-file but this still does not help... uscanner0 is here: uscanner0: EPSON EPSON Scanner, rev 1.10/1.00, addr 2 sane-find-scanner has the following to say: found USB scanner (UNKNOWN vendor and product) at device /dev/uscanner0 Doesn't matter that you get UNKNOWN. It _will_ work with sane without access to /dev/usb*. It does here. This is an Epson Perfection 1260. Don't ask what the 'Perfection' stands for. Anyway, this is in fact a Plustek, so I have to add the following to /usr/local/etc/sane.d/plustek.conf: -[usb] +[usb] 0x04B8 0x011D +device /dev/uscanner0 I need vendor and product id to get this working. Without getting this info, eg scanimage -L will complain that it couldn't find a scanner, etc. only with /dev/usb* set to root:usb, I will get %scanimage -L device `plustek:/dev/uscanner0' is a Epson Perfection 1260/Photo USB flatbed scanner Regards, Holger Kipp ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FBSD-6 usb/scanner-access-rights
On Sun, Nov 20, 2005 at 07:26:38PM +0100, Holger Kipp wrote: Doesn't matter that you get UNKNOWN. It _will_ work with sane without access to /dev/usb*. It does here. This is an Epson Perfection 1260. Don't ask what the 'Perfection' stands for. Anyway, this is in fact a Plustek, so I have to add the following to /usr/local/etc/sane.d/plustek.conf: -[usb] +[usb] 0x04B8 0x011D +device /dev/uscanner0 My Epson Perfection 1650 only needs the last line in epson.conf to work with the xsane gimp plug-in. No vendor or device IDs necessary. I don't use scanimage. Try copying plustek.conf to epson.conf, and adding epson to dll.conf. The permissions on the uscanner device are 660 for root:usb. The /dev/usb devices are 660 for root:operator. My user-id is not in the operator group. Roland -- R.F.Smith (http://www.xs4all.nl/~rsmith/) Please send e-mail as plain text. public key: http://www.xs4all.nl/~rsmith/pubkey.txt pgpv61ZBfa5PW.pgp Description: PGP signature
