Web lists-archives.com

Re: lircd daemon as regular user => device access problems





Le 10 février 2017 16:13:15 GMT+01:00, Alec Leamas <leamas.alec@xxxxxxxxx> a écrit :
>Dear list,
>
>After some work it seems that an updated LIRC package has landed in 
>stretch without any major problems. This resolves the urgent need to 
>update it to something recent enough to be supported by upstream.
>
>One remaining problem is that lircd, the main LIRC daemon, runs as
>root. 
>This is code from the 90's, heavily user-configured. Running this as 
>root is just not sane, and other distros has moved to running it as a 
>regular user since long. I want to make this change for sid/buster.
>
>However, running lircd as non-root raises permissions problems related 
>to /dev/... devices. Since lircd is configured in all sorts of ways, 
>many kinds of devices are potentially used. The paranoid configuration 
>is to block all devices for lircd, leaving it to user to enable them as
>
>required. This is a breaking update for almost all users.
>
>The alternative is to use the Fedora strategy, outlined below. This 
>means changing overall permissions for several /dev/... devices. Is
>this 
>OK, should  it be discussed on this ML, or somewhere else?
>
>Proposed /dev/ permissions after installing lirc:
>
>- The /dev/lirc? devices are set user:group  lirc:lirc and mode 660 
>(udev rule).
>- The lirc user is added to the input group, to access /dev/input
>devices.
>- The lirc user is added to the dialout group to access /dev/ttyS
>devices.
>- The /var/lock dir is root:root 755 in my stretch box but this is 
>seemingly #813703; assuming this will be fixed to 1777.
>- lirc user gets read access to all USB character devices using a udev 
>rule invoking facl(1).
>
>I know that getting permission is harder than to be forgiven, but 
>perhaps it makes sense to have a discussion first?
>
>The possibly controversial issue is the USB devices. However, without 
>this rule a large part of lirc users will be forced to painful udev 
>rules configuration


Can we list USB device needed (whitelist) ?

Bastien
>
>Thoughts?
>
>--alec

-- 
Envoyé de mon appareil Android avec K-9 Mail. Veuillez excuser ma brièveté.