Permissions for usb devices

[lfm]

Hi

I ran into some issues with the internal USB camera not being recognized by a regular user .

It turned out that is a matter of permissions. If the user is not part of the "operator" group, we can not access to it. If we add the regular user to "operator", then it's fine, but don't think everyone should be part of that group.

Thank you!

lfm@beastie /home/lfm $ ls -l /dev/ugen0.*
lrw-rw----  1 root operator 9 Nov 20 13:00 /dev/ugen0.1 -> usb/0.1.0
lrw-rw----  1 root operator 9 Nov 20 13:00 /dev/ugen0.2 -> usb/0.2.0
lfm@beastie /home/lfm $ ls -l /dev/usb
total 0
crw-rw----  1 root operator 0x32 Nov 20 13:00 0.1.0
crw-rw----  1 root operator 0x44 Nov 20 13:00 0.1.1
crw-rw----  1 root operator 0x85 Nov 20 13:00 0.2.0
crw-rw----  1 root operator 0x87 Nov 20 13:00 0.2.1
crw-rw----  1 root operator 0x88 Nov 20 13:00 0.2.7
lfm@beastie /home/lfm $

 

[SirDice]

The 'operator' group is for this type of user. It's someone that 'operates' the computer. Members of the operator group can also use shutdown(8) without having to resort to su(1) or sudo(8).

 

[mer]

One can also create a devd config file over in /usr/local/etc/devd to modify permissions. Here's a sample that tweaks things for a Nikon D610 when it's plugged in so I can use darktable to pull images from it. Obviously you can set the values you need for vendor, product and arguments to chgrp and chmod.

notify 100 {
       match "vendor" "0x04B0";
       match "product" "0x0434";
       action "chgrp wheel /dev/$cdev && chmod 660 /dev/$cdev";
};

 

[YYY__]

That seems like a good idea. Anyone may want to set special permission for something as sensitive as the camera.

 

[mer]

That seems like a good idea. Anyone may want to set special permission for something as sensitive as the camera.

Yep and actually, it's a good way to dip your toes into the whole devd subsystem

 

[SirDice]

I have something similar but for a joystick. You can use the same 'stanza' for all sorts of devices. I think 'operator' would be a better group than 'wheel' but that's my opinion. You could go nuts of course, and create a special 'camera' group and set the group and permissions for that.

dice@williscorto:~ % cat /usr/local/etc/devd/dashine.conf
notify 100 {
  match "system"        "USB";
  match "subsystem"     "INTERFACE";
  match "type"          "ATTACH";
  match "vendor"        "0x045e";
  match "product"       "0x028e";
  action "chgrp operator /dev/$cdev; chmod 660 /dev/$cdev";
};

 

[lfm]

Thank you for the replies! I forgot to mention that I ran into it on the pre-release of FreeBSD 14.0 . Don't remember running into this in 13.x,
I like the idea to have those device files under more specific -and restrictive- groups, (may be the existing "webcamd" ?). I also agree that for single user computers such as laptops, assigning "operator" group to the user sound like a good idea too.
I will play with devd. Thank you!

 

[YYY__]

You could go nuts of course, and create a special 'camera' group and set the group and permissions for that.

Isn't it the same for sane-backends?

freebsd-ports/graphics/sane-backends/files/pkg-message.in at main · freebsd/freebsd-ports

FreeBSD ports tree (read-only mirror). Contribute to freebsd/freebsd-ports development by creating an account on GitHub.

github.com

 

[mer]

CuatroTorres yep, you could/should do the same for sane backends.