lircd daemon as regular user => device access problems
- Date: Fri, 10 Feb 2017 16:13:15 +0100
- From: Alec Leamas <leamas.alec@xxxxxxxxx>
- Subject: lircd daemon as regular user => device access problems
After some work it seems that an updated LIRC package has landed in
stretch without any major problems. This resolves the urgent need to
update it to something recent enough to be supported by upstream.
One remaining problem is that lircd, the main LIRC daemon, runs as root.
This is code from the 90's, heavily user-configured. Running this as
root is just not sane, and other distros has moved to running it as a
regular user since long. I want to make this change for sid/buster.
However, running lircd as non-root raises permissions problems related
to /dev/... devices. Since lircd is configured in all sorts of ways,
many kinds of devices are potentially used. The paranoid configuration
is to block all devices for lircd, leaving it to user to enable them as
required. This is a breaking update for almost all users.
The alternative is to use the Fedora strategy, outlined below. This
means changing overall permissions for several /dev/... devices. Is this
OK, should it be discussed on this ML, or somewhere else?
Proposed /dev/ permissions after installing lirc:
- The /dev/lirc? devices are set user:group lirc:lirc and mode 660
- The lirc user is added to the input group, to access /dev/input devices.
- The lirc user is added to the dialout group to access /dev/ttyS devices.
- The /var/lock dir is root:root 755 in my stretch box but this is
seemingly #813703; assuming this will be fixed to 1777.
- lirc user gets read access to all USB character devices using a udev
rule invoking facl(1).
I know that getting permission is harder than to be forgiven, but
perhaps it makes sense to have a discussion first?
The possibly controversial issue is the USB devices. However, without
this rule a large part of lirc users will be forced to painful udev