Re: Providing access to USB devices

[Pierre Pronchery <khorben%defora.org@localhost>]

		Hi Martin, tech-userlevel@,

On 20/09/2018 10:49, Martin Husemann wrote:
> On Thu, Sep 20, 2018 at 10:41:01AM +0200, Pierre Pronchery wrote:
>> Would it make sense to create a _usb group, and setting the permissions
>> of /dev/ugen* and maybe also /dev/usb* to mode 0660 root:_usb?
>>
>> With this we should also be able to run services like pcscd (from
>> pkgsrc) without requiring root.
> 
> We had some discussion about this some time ago in the context of usb
> scanners. Alternatives propsoed where the GiveConsole/TakeConsole
> scripts used by X login managers and a script that matches certain
> devices.

Well, I believe even this approach would benefit from an additional _usb
group. GiveConsole/TakeConsole would simply grant membership; this can
only be better than changing ownership to nodes in /dev.

> An alterntive Jared suggested was to add console users temporarily to a
> dynamic group. I like this idea.

I like it too, however on UNIX it is trivial to make such temporary
ownership become permanent (just create a setgid binary).

In practice however, shouldn't it be granting membership to multiple
groups instead of just one? Access to hardware components should be more
granular than just one "_hardware" group. Some system services may also
provide functionality without the final user requiring access to the
hardware (like pcscd).

> And I bet Jason would now chime in and talk about a aproper devfs ;-)

That would be my favourite option actually :)

Cheers,
-- 
khorben