Give a specific user permissions to a device without giving access to other users
There are multiple ways of accomplishing this.
For example, on my system:
First you need to find a way to identify the device. You use
The
Note: It is important to remember that when writing udev rules, you can only use parameters from the top device, and one other device in the chain. Thus I can use the
Another note: (since the system requires more than 6 characters for an edit and I don’t have reputation to add a comment) udev matching must use the equality operator (
1. Add your user to the group that owns the device
Generally in most distros, block devices are owned by a specific group. All you need to do is add your user to that group.For example, on my system:
# ls -l /dev/sdb
brw-rw---- 1 root disk 8, 16 2014/07/07-21:32:25 /dev/sdb
disk group.# usermod -a -G disk patrick
2. Change the permissions of the device
The idea is to create a udev rule to run a command when the device is detected.First you need to find a way to identify the device. You use
udevadm for this. For example:# udevadm info -a -n /dev/sdb
Udevadm info starts with the device specified by the devpath and then
walks up the chain of parent devices. It prints for every device
found, all possible attributes in the udev rules key format.
A rule to match, can be composed by the attributes of the device
and the attributes from one single parent device.
looking at device '/devices/pci0000:00/0000:00:1d.0/usb1/1-1/1-1.3/1-1.3:1.0/host6/target6:0:0/6:0:0:0/block/sdb':
KERNEL=="sdb"
SUBSYSTEM=="block"
DRIVER==""
ATTR{ro}=="0"
ATTR{size}=="31116288"
ATTR{stat}==" 279 219 3984 1182 0 0 0 0 0 391 1182"
ATTR{range}=="16"
ATTR{discard_alignment}=="0"
ATTR{events}=="media_change"
ATTR{ext_range}=="256"
ATTR{events_poll_msecs}=="-1"
ATTR{alignment_offset}=="0"
ATTR{inflight}==" 0 0"
ATTR{removable}=="1"
ATTR{capability}=="51"
ATTR{events_async}==""
looking at parent device '/devices/pci0000:00/0000:00:1d.0/usb1/1-1/1-1.3/1-1.3:1.0/host6/target6:0:0/6:0:0:0':
KERNELS=="6:0:0:0"
SUBSYSTEMS=="scsi"
DRIVERS=="sd"
ATTRS{rev}=="0207"
ATTRS{type}=="0"
ATTRS{scsi_level}=="0"
ATTRS{model}=="STORAGE DEVICE "
ATTRS{state}=="running"
ATTRS{queue_type}=="none"
ATTRS{iodone_cnt}=="0x184"
ATTRS{iorequest_cnt}=="0x184"
ATTRS{device_busy}=="0"
ATTRS{evt_capacity_change_reported}=="0"
ATTRS{timeout}=="30"
ATTRS{evt_media_change}=="0"
ATTRS{max_sectors}=="240"
ATTRS{ioerr_cnt}=="0x2"
ATTRS{queue_depth}=="1"
ATTRS{vendor}=="Generic "
ATTRS{evt_soft_threshold_reached}=="0"
ATTRS{device_blocked}=="0"
ATTRS{evt_mode_parameter_change_reported}=="0"
ATTRS{evt_lun_change_reported}=="0"
ATTRS{evt_inquiry_change_reported}=="0"
ATTRS{iocounterbits}=="32"
ATTRS{eh_timeout}=="10"
looking at parent device '/devices/pci0000:00/0000:00:1d.0/usb1/1-1/1-1.3/1-1.3:1.0/host6/target6:0:0':
KERNELS=="target6:0:0"
SUBSYSTEMS=="scsi"
DRIVERS==""
looking at parent device '/devices/pci0000:00/0000:00:1d.0/usb1/1-1/1-1.3/1-1.3:1.0/host6':
KERNELS=="host6"
SUBSYSTEMS=="scsi"
DRIVERS==""
looking at parent device '/devices/pci0000:00/0000:00:1d.0/usb1/1-1/1-1.3/1-1.3:1.0':
KERNELS=="1-1.3:1.0"
SUBSYSTEMS=="usb"
DRIVERS=="usb-storage"
ATTRS{bInterfaceClass}=="08"
ATTRS{bInterfaceSubClass}=="06"
ATTRS{bInterfaceProtocol}=="50"
ATTRS{bNumEndpoints}=="02"
ATTRS{supports_autosuspend}=="1"
ATTRS{bAlternateSetting}==" 0"
ATTRS{bInterfaceNumber}=="00"
looking at parent device '/devices/pci0000:00/0000:00:1d.0/usb1/1-1/1-1.3':
KERNELS=="1-1.3"
SUBSYSTEMS=="usb"
DRIVERS=="usb"
ATTRS{bDeviceSubClass}=="00"
ATTRS{bDeviceProtocol}=="00"
ATTRS{devpath}=="1.3"
ATTRS{idVendor}=="05e3"
ATTRS{speed}=="480"
ATTRS{bNumInterfaces}==" 1"
ATTRS{bConfigurationValue}=="1"
ATTRS{bMaxPacketSize0}=="64"
ATTRS{busnum}=="1"
ATTRS{devnum}=="5"
ATTRS{configuration}==""
ATTRS{bMaxPower}=="500mA"
ATTRS{authorized}=="1"
ATTRS{bmAttributes}=="80"
ATTRS{bNumConfigurations}=="1"
ATTRS{maxchild}=="0"
ATTRS{bcdDevice}=="0207"
ATTRS{avoid_reset_quirk}=="0"
ATTRS{quirks}=="0x0"
ATTRS{serial}=="000000000207"
ATTRS{version}==" 2.00"
ATTRS{urbnum}=="1115"
ATTRS{ltm_capable}=="no"
ATTRS{manufacturer}=="Generic"
ATTRS{removable}=="unknown"
ATTRS{idProduct}=="0727"
ATTRS{bDeviceClass}=="00"
ATTRS{product}=="USB Storage"
looking at parent device '/devices/pci0000:00/0000:00:1d.0/usb1/1-1':
KERNELS=="1-1"
SUBSYSTEMS=="usb"
DRIVERS=="usb"
ATTRS{bDeviceSubClass}=="00"
ATTRS{bDeviceProtocol}=="01"
ATTRS{devpath}=="1"
ATTRS{idVendor}=="8087"
ATTRS{speed}=="480"
ATTRS{bNumInterfaces}==" 1"
ATTRS{bConfigurationValue}=="1"
ATTRS{bMaxPacketSize0}=="64"
ATTRS{busnum}=="1"
ATTRS{devnum}=="2"
ATTRS{configuration}==""
ATTRS{bMaxPower}=="0mA"
ATTRS{authorized}=="1"
ATTRS{bmAttributes}=="e0"
ATTRS{bNumConfigurations}=="1"
ATTRS{maxchild}=="6"
ATTRS{bcdDevice}=="0000"
ATTRS{avoid_reset_quirk}=="0"
ATTRS{quirks}=="0x0"
ATTRS{version}==" 2.00"
ATTRS{urbnum}=="61"
ATTRS{ltm_capable}=="no"
ATTRS{removable}=="unknown"
ATTRS{idProduct}=="0024"
ATTRS{bDeviceClass}=="09"
looking at parent device '/devices/pci0000:00/0000:00:1d.0/usb1':
KERNELS=="usb1"
SUBSYSTEMS=="usb"
DRIVERS=="usb"
ATTRS{bDeviceSubClass}=="00"
ATTRS{bDeviceProtocol}=="00"
ATTRS{devpath}=="0"
ATTRS{idVendor}=="1d6b"
ATTRS{speed}=="480"
ATTRS{bNumInterfaces}==" 1"
ATTRS{bConfigurationValue}=="1"
ATTRS{bMaxPacketSize0}=="64"
ATTRS{authorized_default}=="1"
ATTRS{busnum}=="1"
ATTRS{devnum}=="1"
ATTRS{configuration}==""
ATTRS{bMaxPower}=="0mA"
ATTRS{authorized}=="1"
ATTRS{bmAttributes}=="e0"
ATTRS{bNumConfigurations}=="1"
ATTRS{maxchild}=="3"
ATTRS{bcdDevice}=="0313"
ATTRS{avoid_reset_quirk}=="0"
ATTRS{quirks}=="0x0"
ATTRS{serial}=="0000:00:1d.0"
ATTRS{version}==" 2.00"
ATTRS{urbnum}=="26"
ATTRS{ltm_capable}=="no"
ATTRS{manufacturer}=="Linux 3.13.6-gentoo ehci_hcd"
ATTRS{removable}=="unknown"
ATTRS{idProduct}=="0002"
ATTRS{bDeviceClass}=="09"
ATTRS{product}=="EHCI Host Controller"
looking at parent device '/devices/pci0000:00/0000:00:1d.0':
KERNELS=="0000:00:1d.0"
SUBSYSTEMS=="pci"
DRIVERS=="ehci-pci"
ATTRS{irq}=="23"
ATTRS{subsystem_vendor}=="0x144d"
ATTRS{broken_parity_status}=="0"
ATTRS{class}=="0x0c0320"
ATTRS{companion}==""
ATTRS{enabled}=="1"
ATTRS{consistent_dma_mask_bits}=="32"
ATTRS{dma_mask_bits}=="32"
ATTRS{local_cpus}=="0f"
ATTRS{device}=="0x1e26"
ATTRS{uframe_periodic_max}=="100"
ATTRS{msi_bus}==""
ATTRS{local_cpulist}=="0-3"
ATTRS{vendor}=="0x8086"
ATTRS{subsystem_device}=="0xc0d3"
ATTRS{numa_node}=="-1"
ATTRS{d3cold_allowed}=="1"
looking at parent device '/devices/pci0000:00':
KERNELS=="pci0000:00"
SUBSYSTEMS==""
DRIVERS==""
/etc/udev/rules.d, such as 99-cardreader.rules:SUBSYSTEM=="block", ATTRS{idProduct}=="0727", ATTRS{serial}=="000000000207", ACTION=="add", RUN+="/bin/chmod 777 /dev/$name"
udevadm info command to find some identifying information for the device. I used the SUBSYSTEM="block" entry for the very first entry, and then the ATTRS
values from the 6th entry. This will basically find the USB device with
that product & serial number, and then find the block device that
results from that USB device.The
RUN command will change the permissions on the device to 777.
However I don't consider this a very good solution as this opens the
device up to the world. Instead a better solution might be:SUBSYSTEM=="block", ATTRS{idProduct}=="0727", ATTRS{serial}=="000000000207", ACTION=="add", RUN+="/bin/setfacl -m u:patrick:rw- /dev/$name"
patrick read/write access to the device.Note: It is important to remember that when writing udev rules, you can only use parameters from the top device, and one other device in the chain. Thus I can use the
SUBSYSTEM="block" parameter, and the ATTRS parameters. But I could not use any parameters from any other device in the chain, or the rule would fail to match.Another note: (since the system requires more than 6 characters for an edit and I don’t have reputation to add a comment) udev matching must use the equality operator (
==), not assignment (=)! This answer previously had SUBSYSTEM="block" which does not work (invalid SUBSYSTEM operation).
Комментарии
Отправить комментарий