Overriding permissions from udev sample rules

Bryan Kadzban bryan at kadzban.is-a-geek.net
Sun Oct 14 05:32:36 PDT 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Bruce Dubbs wrote:
> Bryan Kadzban wrote:
> 
>> I'd think 0666 would be fine. And if you run any programs that use
>> /dev/tty, you may need 0666 if you run them as a
>> non-tty-group-member -- but I don't know whether any of those
>> exist.
>> 
>> (I'd still say go with our mode here, though.)
> 
> I don't know if there are any programs that would need this
> permission. The tty group has no members.

By default, that's true.  I don't know whether there are any systems "in
the wild" where that group does have members, though I doubt it.

I suspect the only reason for the group's existence is so that write can
be setgid-tty, and then be able to write to other consoles.

> The only files on my system that have tty as a group are /dev/tty*,
> /dev/pts/*, /dev/ptmx, /dev/console, and /usr/bin/write.  I can't
> think of any case where you would run something as another user
> except root that might need this capability.

/usr/bin/write only has that group because its setgid bit is on.  The
other files are what /usr/bin/write writes to, to broadcast its message.

You'd run write as a normal user, not root -- or at least, you could,
because of its setgid bit.  But I think it's the only program like that,
so I think you're right that 0660 is fine.

>> (Actually, I'm ignoring the issue of ioctls on the console devices.
>> I'm not sure what cans of worms those open up, if any, since I
>> don't know what the various ioctls are, or would let you do.  Hmm.)
>> 
> 
> Again, ioctls would make no difference from one user to another as
> far as groups are concerned as long as no one is in the tty group.

True.

> From your analysis, I don't see any compelling reason to override any
> of the permissions or groups in the 50- rules.  We can just simplify
> our 25- rules to not duplicate the rules in 50- and use  "last_rule"
> if we need to override something in 50-.

Or use :=, but that's what I was trying to avoid if possible.  There are
a few other differences between our permissions (or groups) and udev's,
which I was hoping to override by moving 25- to 51- and leaving those
rules alone.

One instance is everywhere that udev assigns "uucp", we seem to assign
"dialout" instead.  I think that's because we have no "uucp" group.
Another is all the input devices: we assign 0644, but udev assigns 0640
or 0600, depending on the device.  I'd rather not have to be a member of
a certain group in order to test input devices.  Another is agpgart:
udev assigns 0600, but we assign 0666.  (This may not matter, since X is
setuid root.)  The last two are disk and tape devices: udev assigns tape
devices to group "disk" instead of "tape", and disk devices get mode
0640 instead of our 0660.

All of those can be overridden if we move our rules to 51-; just the TTY
devices can't be.  So if we want to go with udev's permissions for TTYs
(which sound like they'd probably work), then that should be fine.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHEgxjS5vET1Wea5wRA5zIAKDZuWTMV6o6to95oudmE3A9b0hrngCeMVrl
i4PHqj3qOIUPhULO/HmJD0I=
=jpNS
-----END PGP SIGNATURE-----



More information about the lfs-dev mailing list