How Debian controls hardware access
Posted by Steve on Mon 14 Mar 2005 at 11:00
Like a lot of other Linux distributions Debian handles hardware access via the groups upon the system. This is the single most common reason why access to sound, CD-ROMs, and other devices fail.
A common symptom of insufficient permissions will be that the superuser, root, will be able to perform an action, such as listening to music, whilst an ordinary user will not be able to.
On Debian systems there are a number of different groups, each specified in the /etc/group file, for controlling access to particular devices.
- audio
- Members of the audio group can access the sound device /dev/dsp. This is required for listening to music, or making audio recordings.
- dialout
- The dialout group is used to control access to dialout scripts which connect to ISPs, etc. If you're using ppp, dip or similar services you'll need to be a member of the dialout group. (Or root!)
- cdrom
- All members of the cdrom group have read + write access to the CD-ROM devices upon a system, if any.
- floppy
- The floppy group has the ability to read and write to any floppy disk which is in the drive, if any.
- video
- The video group gains the ability to write to video memory. This is required if you wish to use the nvidia driver, for example.
- fax
- The fax group is similar to the dialout group and allows you to interface with any fax device.
- sudo
- Members of the sudo group need not type their passwords when running sudo, although it's more obvious to specify this by using the NOPASSWD option inside the configuration file.
- tape
- Being a member of the tape device allows you to work with any attached tape device.
Other groups exist as a simple convention, so far example members of the staff group can write to /usr/local by default - so they can add local software. Similarly the members of the group src can directly write to the /usr/src directory.
To add a user to a particular group you would run the following command as root:
adduser username groupname
Eg:
root@mystery:~# adduser skx audio Adding user `skx' to group `audio'... Done.
Once this has been done the user must logout and login again for the changes to take effect.
To see which groups you are a member of you can run the "id" command:
skx@mystery:~$ id uid=1000(skx) gid=1000(skx) groups=20(dialout),24(cdrom),25(floppy),29(audio),44(video),1000(skx)
You are limited to 16 group with nfs. It's very easy to be in 20 groups.
With nis, you must export system group like audio, video... if you want to use these groups on many computers. I know i can switch to ldap but nis is easy to setup.
[ Parent | Reply to this comment ]
[ Send Message | View Steve's Scratchpad | View Weblogs ]
I'm not sure I understand why this is bad, generally speaking most users only need to be added to the audio and possibly video groups to use a machine.
If you're running a big environment where you have a lot of machines and users and people can sit down in front of any machine it might be better to simply change the defaults - give each user the membership of group "interactive", and change the permissions on any of the hardward devices that they need to use.
(I guess I'm having a hard time seeing why you would need a large number of users all to be able to use every single possible device - instead of just one or two common ones. Large installations of any OS would need tweaking, and here we're just describing the way the system operates by default).
Steve
-- Steve.org.uk
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
The other problem is to export the master group file to the other computer via nis. I do not want system user in this file...
With cfengine, it is very easy to have the same file on 20 computers. So for the post after, it's not really a problem to change a config file on n computer.
I change the permission on the dev file. It is not the best way but maybe the easiest way.
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
auth optional pam_group.soto the files cron, gdm, login, other, ssh, and su in "/etc/pam.d". Then edit /etc/security/group.conf and add this:
*;*;*;Al0000-2400;users audio floppy cdromAs you can see, I add the users group. I do this to be able to have all users use umask 007 but still have some directories be accessible by all by being owned by the users group and setting the setgid (g+s) bit on it.
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
Polish translation of your article is available now at
http://www.debianusers.pl/article.php?aid=75. Thank you
very much for your writing!
I don't understand only one thing. Why do you write
about sudo group together with the groups controlling
access to hardware devices.
Best regards!
Pawel
[ Parent | Reply to this comment ]
[ Send Message | View Steve's Scratchpad | View Weblogs ]
It just seemed appropriate to mention as many of the groups as possible - although I agree that it doesn't serve as a hardware control and I guess it stands out a little.
Thanks for your work, and continued support.
Steve
-- Steve.org.uk
[ Parent | Reply to this comment ]
Regards
[ Parent | Reply to this comment ]
[ Send Message | View Steve's Scratchpad | View Weblogs ]
LDAP doesn't have any obvious bearing, since that is to control user id, and these are system groups.
Typically you would use some system whereby local users in front of a machine would be granted access to common devices such as video, disk, cd-rom, etc by PAM.
[ Parent | Reply to this comment ]
Leo
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]