[argyllcms] udev/ConsoleKit and device permissions under Linux

• From: Roland Mas <lolando@xxxxxxxxxx>
• To: argyllcms@xxxxxxxxxxxxx
• Date: Tue, 26 Jan 2010 15:44:11 +0100

Hi,

I'm still trying to get to the bottom of the device file permission
system.  The new rules seem to work fine so far, but I'd like to be
sure it's not a quirk.

libusb/55-Argyll.rules currently tests for /lib/udev/udev-acl, delegates
permissions to it if it exists, and uses the static "plugdev" group
otherwise.  From my understanding, there are three possible scenarios:

1. Recent udev with udev-acl, ConsoleKit is also present.
2. Recent udev, but no ConsoleKit.
3. “Old” udev.

With the current rules, scenario 3 leads to the device file belonging to
plugdev, which is a good fallback; scenario 1 leads to the permissions
being delegated to ConsoleKit via udev-acl, which is good too; but
scenario 2 leads to the permissions being delegated to udev-acl, which
won't do anything (apart setting an ACL to allow root to access the
device, which doesn't have much use).

In order to handle this scenario, I suggest the following patch:

=== modified file 'libusb/55-Argyll.rules'
--- libusb/55-Argyll.rules      2010-01-24 19:21:41 +0000
+++ libusb/55-Argyll.rules      2010-01-26 14:42:48 +0000
@@ -43,10 +43,11 @@
 # Huey
 ATTRS{idVendor}=="0971", ATTRS{idProduct}=="2005", 
ENV{COLOR_MEASUREMENT_DEVICE}="1"
 
-# Let ACL manage these devices, if it is installed
-TEST=="/lib/udev/udev-acl", ENV{COLOR_MEASUREMENT_DEVICE}=="*?", 
ENV{ACL_MANAGE}="1"
+# Let udev-acl and ConsoleKit manage these devices, if applicable
+TEST=="/lib/udev/udev-acl", TEST=="/var/run/ConsoleKit/database", 
ENV{COLOR_MEASUREMENT_DEVICE}=="*?", ENV{ACL_MANAGE}="1"
 
-# Otherwise users should be members of the plugdev group
+# Otherwise, restrict access to members of the plugdev group
+TEST!="/var/run/ConsoleKit/database", ENV{COLOR_MEASUREMENT_DEVICE}=="*?", 
MODE="660", GROUP="plugdev"
 TEST!="/lib/udev/udev-acl", ENV{COLOR_MEASUREMENT_DEVICE}=="*?", MODE="660", 
GROUP="plugdev"
 
 LABEL="argyll_rules_end"

  I might apply this to the Debian packaging, but I'd like to get
comments beforehand :-)

Roland.
-- 
Roland Mas

...your network won't even know it's talking to a proxy, unless of
course, the proxy doesn't work.  -- in Linux 2.4 NAT HOWTO

• Follow-Ups:
  • [argyllcms] Re: udev/ConsoleKit and device permissions under Linux
    • From: Frederic Crozat
  • [argyllcms] Re: udev/ConsoleKit and device permissions under Linux
    • From: Graeme Gill

Other related posts:

• » [argyllcms] udev/ConsoleKit and device permissions under Linux - Roland Mas
• » [argyllcms] Re: udev/ConsoleKit and device permissions under Linux- Frederic Crozat
• » [argyllcms] Re: udev/ConsoleKit and device permissions under Linux- Roland Mas
• » [argyllcms] Re: udev/ConsoleKit and device permissions under Linux- Graeme Gill
• » [argyllcms] Re: udev/ConsoleKit and device permissions under Linux- Graeme Gill
• » [argyllcms] Re: udev/ConsoleKit and device permissions under Linux- Roland Mas

1. Home
2. argyllcms
3. Archive
4. 01-2010

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---