Other devfs.conf and devfs.rules: how to configure generic user to see a usb drive read only

Hello guys !

PROBLEM.
Plugging a usb pen drive into PC, I want:
1 - the generic user Imaging has absolute control of it
2 – Imaging and only Imaging user can read the device

SOLUTION PROPOSAL.
1 – Add the user Imaging (following the adduser instructions in the FreeBSD Handbook)
2 – configure /etc/devfs.conf in this way:
own da* Imaging:Imaging
perm da* 400
3 – configure /etc/defaults/devfs.rules in this way:
[devfsrules_imaging_usb=8]
add path da* user Imaging
add path da* mode 400
4 – I’m not interesting to enable this behavior at boot, so I don’t update /etc/rc.conf with the rule: devfs_system_rulesets="devfsrules_usb"

QUESTIONS.
So doing, every time I plug in a usb drive, I would want to see:

Imaging@maia:/ % ls -lag /dev/da4
cr-------- 1 Imaging (no-group here) 0xe9 .......

Please, can you tell me if is it correct ?

Where am I wrong ?

Thanks in advance.

Note - this post follows the previous one: [FONT=Arial]root [/FONT][FONT=Arial]and non-root users: what the differences.[/FONT]
 
Looks like you have a user Imaging, but you don't have a group. Check the file /etc/group. You clearly are stating that da* shall be used by user Imaging and group Imaging, but ls doesn't display this.

Are you 100% sure it is a good idea to have a mixed-case username (Imaging with a capital I)? That's not illegal, but it is a bit hard to type.

And are you 100% sure it is a good idea to have this user own *ALL* da devices? This applies to all USB storage things, not just pen drives. Maybe you should research how to apply this to just one specific USB device, with one specific serial number (I don't know how to do it, but it sounds like it would be a good idea).
 
Looks like you have a user Imaging, but you don't have a group. Check the file /etc/group. You clearly are stating that da* shall be used by user Imaging and group Imaging, but ls doesn't display this.

Really I want to make an absolute user without group: is it possible this in FreeBSD or not ?

Are you 100% sure it is a good idea to have a mixed-case username (Imaging with a capital I)? That's not illegal, but it is a bit hard to type.

Ok .... imaging is a good tip.

And are you 100% sure it is a good idea to have this user own *ALL* da devices? This applies to all USB storage things, not just pen drives. Maybe you should research how to apply this to just one specific USB device, with one specific serial number (I don't know how to do it, but it sounds like it would be a good idea).

Effectively here your question is correct. I'd like to configure /etc/devfs.conf and /etc/defaults/devfs.rules only for some usb port. But I cannot use the knowledge of the serial number (that is I cannot see every time the serial number of a usb drive and configura every time the devfs file .... it is much expensive in time).

Tips are welcome.
 
Sir,

why "Never edit or change any of the files in /etc/defaults/*." .... My devfs.rules is in /etc/defaults .... and I modified it. Or maybe I need to cp it in /etc before add new lines ?
 
Hello,

I'm sorry, your question confuses me a little. You want the Imaging user to have absolute control over da* devices and only Imaging user to have read access to them. Since having a read access is part of an absolute control, I'm guessing what matters to you is that no other users have any kind of access to these devices, am I correct? All other possible combinations don't really make much sense to me.

If the Imaging user is to have absolute control over da* devices, then permissions on these devices shouldn't be 400, but 600, otherwise the Imaging user won't be able to write anything to the device in question.

You say that you want to see:
vince66 said:
cr-------- 1 Imaging (no-group here) 0xe9 .......
but that collides with your devfs.conf rules, where you state you want da* devices to be owned by user Imaging and group Imaging. Yet there is apparently no such group. Also, the Imaging user only has read permission, as stated earlier. If you don't want to specify any group, I suggest you use the 'nogroup' group:
Code:
own  da* Imaging:nogroup
perm da* 0600

Similarly to that, I suggest you adjust you devfs.rules content to:
Code:
[devfsrules_imaging_usb=8]
add path 'da*' user Imaging group nogroup mode 0600
if you ever want to make it the default behavior. However, without adding devfs_system_ruleset="devfsrules_imaging_usb" into rc.conf (and restarting devfs after you do so) only the rules in devfs.conf will apply, so only devices connected at boot will be affected.

Hope this was of some help :).

Cheers.
 
vince66 said:
...why "Never edit or change any of the files in /etc/defaults/*." .... My devfs.rules is in /etc/defaults .... and I modified it. Or maybe I need to cp it in /etc before add new lines ?
You really shouldn't do that. Instead, create /etc/devfs.rules (doesn't exist by default) and make your changes there.
From devfs.rules():
Code:
/etc/defaults/devfs.rules       Default devfs.rules configuration file.
/etc/devfs.rules                Local devfs.rules configuration file.
                                Rulesetsin hereoverride those in
                                /etc/defaults/devfs.rules with the same
                                ruleset number, otherwise the two files
                                are effectively merged.
 
why "Never edit or change any of the files in /etc/defaults/*." .... My devfs.rules is in /etc/defaults .... and I modified it. Or maybe I need to cp it in /etc before add new lines ?
The main problem is that these are system files, so with every upgrade of your OS they will most likely get overwritten. After that any custom changes would be lost.

Another issue is the loss of reference material. This obviously doesn't apply all the time but if you need to check the default behavior for another server you'd check the default file. Or if something misbehaves you can always go back to the default by removing the override. Something which is obviously not possible if you changed things in there.
 
Back
Top