Problems accessing USB devices with non-root user inside Jail

Hi,

I need to access an USB device with a non-root user within a jail. I had similar issues with FreeNAS and now installed a fresh FreeBSD 9.3.

When running usbconfig as root in the jail, I see all the USB devices connected.

The device required for my setup is:
Code:
ugen1.3: <KNX-USB Data Interface Gira Giersiepen GmbH  Co. KG> at usbus1, cfg=0 md=HOST spd=FULL (12Mbps) pwr=ON (50mA)

This is a USB device connecting to a home automation system.

My permissions are as follows:
Code:
root@knx:/dev # ll ugen1.3
lrwxr-xr-x  1 root  wheel  9 Dec  8 10:19 ugen1.3@ -> usb/1.3.0

I've modified the devfs.rules:
Code:
root@knx:/dev # cat /etc/devfs.rules

[system=10]
add path 'usbctl' mode 660 group operator
add path 'usb/*' mode 660 group operator
add path 'ugen*' mode 0660 group operator

and rc.conf:
Code:
root@knx:/dev # cat /etc/rc.conf
devfs_system_ruleset="system"

If I'm now running usbconfig with user eib. I'm getting the following output:
Code:
root@knx:/dev # sudo -u eib usbconfig

No device match or lack of permissions.

I'm able to access the USB device as root without any issues but not with any other user. User eib has been added to the operator group.

Is there anything wrong with my devfs config?

Thanks.
Moellinger
 
Set /etc/sysctl.conf in your base system to
Code:
vfs.usermount=1
for non-root users to mount hardware. FAQ For FreeBSD - Chapter 8. Disks, File Systems, and Boot Loaders.

I'm guessing your device is showing inside the jail's /dev directory. If not: there should be another section in the base system devfs.rules that is used for your jails, similar to what you have for [system=10]. From inside the jail you may also want to check /etc/devfs.conf
 
From inside the jail you may also want to check /etc/devfs.conf

What line should be in this file?

I am having a similar option where I can only access /dev/cuaU0 as a root user from within a jail, but not as non-root. Can you maybe share an example?
 
Last edited by a moderator:
Jails have limited access to devices. See /etc/defaults/devfs.rules:
Code:
[devfsrules_jail=4]
add include $devfsrules_hide_all
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login
add path zfs unhide

If you need to access a certain device from within a jail you'll need to unhide it. Similarly, you need to set the correct permissions to access /dev/cuau0 as a non-root user in the jail rules.
 
/etc/devfs.conf
Code:
own    /dev/cuaU0   root:operator
perm   /dev/cuaU0   0666
Permission 0660 usually works for me too.
 
Thanks for the looking into my problem guys!
Unfortunately I still can't figure it out though.

This is where I am at now:

On the host machine:
vfs.usermount is 1:
Code:
[root@server] ~# sysctl vfs.usermount
vfs.usermount: 1

The last section in /etc/defaults/devfs.rules looks like this:
Code:
[devfsrules_jail=4]
add include $devfsrules_hide_all
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login
add path zfs unhide
add path 'cuaU0' unhide

I am guessing that the unhiding worked, since I can access the device from inside the jail as root, right?

Inside the jail:

the /etc/devfs.conf looks like this:
Code:
own  /dev/cuaU0  root:operator
perm  /dev/cuaU0  0666

I made sure that the user fhem is member of the operator group:
Code:
pw usermod fhem -G wheel,operator,fhem

I also tried without the /dev/:
Code:
own  cuaU0  root:operator
perm  cuaU0  0666

and also to make fhem the owner:
Code:
own  cuaU0  fhem:fhem
perm  cuaU0  0666

but these all don't work. What am I missing? Of course I restarted the jail every time.

I read something about changing this entry in /etc/rc.conf inside the jail:
Code:
devfs_system_ruleset="devfsrules_common"

But I wouldn't know what to change it to.
 
Last edited by a moderator:
Code:
root@fhem:/usr/home/fhem # ls -l /dev/cuaU*
crw-rw----  1 uucp  dialer  0x9b Dec 15 19:12 /dev/cuaU0
crw-rw----  1 uucp  dialer  0x9c Dec 14 22:26 /dev/cuaU0.init
crw-rw----  1 uucp  dialer  0x9d Dec 14 22:26 /dev/cuaU0.lock
 
Never edit the files in /etc/defaults/. They'll be overwritten with the next update of the system. Copy the bit you want to change to /etc/devfs.rules and make your changes there.
 
Thanks for the hint! Didn't know that and will change that tonight.

But that can't be the reason for it not working right now, as the root user has access from within the jail, right?
 
Nobody has an idea what might be wrong with my config?

I guess I'll run the perl script as root then.

Thanks for looking into this though!
 
You can't change the permissions of devices from within a jail. You'll have to set the permissions on the host.
 
How about adding disthis rule to your /etc/devfs.rules:

Code:
add path 'usbctl' unhide
and do
# sh /etc/rc.d/devfs restart (and restart jail)?
 
Code:
root@fhem:/usr/home/fhem # ls -l /dev/cuaU*
crw-rw----  1 uucp  dialer  0x9b Dec 15 19:12 /dev/cuaU0
crw-rw----  1 uucp  dialer  0x9c Dec 14 22:26 /dev/cuaU0.init
crw-rw----  1 uucp  dialer  0x9d Dec 14 22:26 /dev/cuaU0.lock
Just put the "fhem" user into the "dialer" group. :)

Btw, I am preparing a port for fhem (http://fhem.org). It will not solve your specific device rights problem, but ease installation of fhem and it dependencies.
 
Back
Top