Problems accessing USB devices with non-root user inside Jail

moellinger

New Member


Messages: 1

#1
Hi,

I need to access an USB device with a non-root user within a jail. I had similar issues with FreeNAS and now installed a fresh FreeBSD 9.3.

When running usbconfig as root in the jail, I see all the USB devices connected.

The device required for my setup is:
Code:
ugen1.3: <KNX-USB Data Interface Gira Giersiepen GmbH  Co. KG> at usbus1, cfg=0 md=HOST spd=FULL (12Mbps) pwr=ON (50mA)
This is a USB device connecting to a home automation system.

My permissions are as follows:
Code:
root@knx:/dev # ll ugen1.3
lrwxr-xr-x  1 root  wheel  9 Dec  8 10:19 ugen1.3@ -> usb/1.3.0
I've modified the devfs.rules:
Code:
root@knx:/dev # cat /etc/devfs.rules

[system=10]
add path 'usbctl' mode 660 group operator
add path 'usb/*' mode 660 group operator
add path 'ugen*' mode 0660 group operator
and rc.conf:
Code:
root@knx:/dev # cat /etc/rc.conf
devfs_system_ruleset="system"
If I'm now running usbconfig with user eib. I'm getting the following output:
Code:
root@knx:/dev # sudo -u eib usbconfig

No device match or lack of permissions.
I'm able to access the USB device as root without any issues but not with any other user. User eib has been added to the operator group.

Is there anything wrong with my devfs config?

Thanks.
Moellinger
 

sidetone

Aspiring Daemon

Thanks: 347
Messages: 978

#2
Set /etc/sysctl.conf in your base system to
Code:
vfs.usermount=1
for non-root users to mount hardware. FAQ For FreeBSD - Chapter 8. Disks, File Systems, and Boot Loaders.

I'm guessing your device is showing inside the jail's /dev directory. If not: there should be another section in the base system devfs.rules that is used for your jails, similar to what you have for [system=10]. From inside the jail you may also want to check /etc/devfs.conf
 

LeoSum

New Member


Messages: 6

#3
From inside the jail you may also want to check /etc/devfs.conf
What line should be in this file?

I am having a similar option where I can only access /dev/cuaU0 as a root user from within a jail, but not as non-root. Can you maybe share an example?
 
Last edited by a moderator:

SirDice

Administrator
Staff member
Administrator
Moderator

Thanks: 6,617
Messages: 28,158

#4
Jails have limited access to devices. See /etc/defaults/devfs.rules:
Code:
[devfsrules_jail=4]
add include $devfsrules_hide_all
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login
add path zfs unhide
If you need to access a certain device from within a jail you'll need to unhide it. Similarly, you need to set the correct permissions to access /dev/cuau0 as a non-root user in the jail rules.
 

sidetone

Aspiring Daemon

Thanks: 347
Messages: 978

#5
/etc/devfs.conf
Code:
own    /dev/cuaU0   root:operator
perm   /dev/cuaU0   0666
Permission 0660 usually works for me too.
 

LeoSum

New Member


Messages: 6

#6
Thanks for the looking into my problem guys!
Unfortunately I still can't figure it out though.

This is where I am at now:

On the host machine:
vfs.usermount is 1:
Code:
[root@server] ~# sysctl vfs.usermount
vfs.usermount: 1
The last section in /etc/defaults/devfs.rules looks like this:
Code:
[devfsrules_jail=4]
add include $devfsrules_hide_all
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login
add path zfs unhide
add path 'cuaU0' unhide
I am guessing that the unhiding worked, since I can access the device from inside the jail as root, right?

Inside the jail:

the /etc/devfs.conf looks like this:
Code:
own  /dev/cuaU0  root:operator
perm  /dev/cuaU0  0666
I made sure that the user fhem is member of the operator group:
Code:
pw usermod fhem -G wheel,operator,fhem
I also tried without the /dev/:
Code:
own  cuaU0  root:operator
perm  cuaU0  0666
and also to make fhem the owner:
Code:
own  cuaU0  fhem:fhem
perm  cuaU0  0666
but these all don't work. What am I missing? Of course I restarted the jail every time.

I read something about changing this entry in /etc/rc.conf inside the jail:
Code:
devfs_system_ruleset="devfsrules_common"
But I wouldn't know what to change it to.
 
Last edited by a moderator:

LeoSum

New Member


Messages: 6

#8
Code:
root@fhem:/usr/home/fhem # ls -l /dev/cuaU*
crw-rw----  1 uucp  dialer  0x9b Dec 15 19:12 /dev/cuaU0
crw-rw----  1 uucp  dialer  0x9c Dec 14 22:26 /dev/cuaU0.init
crw-rw----  1 uucp  dialer  0x9d Dec 14 22:26 /dev/cuaU0.lock
 

SirDice

Administrator
Staff member
Administrator
Moderator

Thanks: 6,617
Messages: 28,158

#9
Never edit the files in /etc/defaults/. They'll be overwritten with the next update of the system. Copy the bit you want to change to /etc/devfs.rules and make your changes there.
 

LeoSum

New Member


Messages: 6

#10
Thanks for the hint! Didn't know that and will change that tonight.

But that can't be the reason for it not working right now, as the root user has access from within the jail, right?
 

LeoSum

New Member


Messages: 6

#11
Nobody has an idea what might be wrong with my config?

I guess I'll run the perl script as root then.

Thanks for looking into this though!
 

SirDice

Administrator
Staff member
Administrator
Moderator

Thanks: 6,617
Messages: 28,158

#12
You can't change the permissions of devices from within a jail. You'll have to set the permissions on the host.
 

z3tbl4

New Member


Messages: 4

#13
How about adding disthis rule to your /etc/devfs.rules:

Code:
add path 'usbctl' unhide
and do
# sh /etc/rc.d/devfs restart (and restart jail)?
 

lme@

Administrator
Staff member
Administrator
Moderator
Developer

Thanks: 289
Messages: 767

#14
Code:
root@fhem:/usr/home/fhem # ls -l /dev/cuaU*
crw-rw----  1 uucp  dialer  0x9b Dec 15 19:12 /dev/cuaU0
crw-rw----  1 uucp  dialer  0x9c Dec 14 22:26 /dev/cuaU0.init
crw-rw----  1 uucp  dialer  0x9d Dec 14 22:26 /dev/cuaU0.lock
Just put the "fhem" user into the "dialer" group. :)

Btw, I am preparing a port for fhem (http://fhem.org). It will not solve your specific device rights problem, but ease installation of fhem and it dependencies.
 
Top