[argyllcms] Re: Argyll's udev rules

  • From: Frederic Crozat <fred@xxxxxxxxxx>
  • To: argyllcms@xxxxxxxxxxxxx
  • Date: Sat, 26 Dec 2009 10:24:23 +0100

2009/12/26 Graeme Gill <graeme@xxxxxxxxxxxxx>:
> Richard Hughes wrote:
>
>> Graeme, you probably want to update to this version in upstream
>> argyll. If nothing else, the ACL_MANAGE attributes ensures we only
>> limit device access to local users, not just all users, which may or
>> may not be a security concern.
>
> Unfortunately your 55-Argyll.rules doesn't seem to pass regression.
> It doesn't work for instance on OpenSuSE 10.3, and probably lots
> of others. I'm guessing that something would need to be done
> to actually make "ACL_MANAGE" do something on these sorts of systems.

ACL_MANAGE will only work on "recent" udev releases (probably udev >
137), which will set ACL on the needed devices, for users with console
privileges (see below).

To know if those rules will work, check if /lib/udev/udev-acl
executable exists : it is does, it will take care of settting ACL.

> (Besides which, I was led to believe that udev rules were going away
>  as a means of managing such things, and that PolicyKit is taking its
>  place ? If this is not true, then what *is* going on, because I sure
>  as heck can't keep track of it!)

It was HAL + PolicyKit +  ConsoleKit which was taking care of setting
ACL (which is why both a .fdi and .policy files were needed).

This stuff is being deprecated (in recent distributions), in favor of
udev rules only.

I would probably recommend not setting ACL_MANAGE directly in
argyllcms rules (this is also what is recommended by udev upstream
developpers), but instead, using the "COLOR_MEASUREMENT_DEVICE"
variable to set ACL_MANAGE in upstream udev ACL rules, just like it is
already done upstrezam for scanner and various other devices.

In /lib/udev/rules.d/70-acl.rules, adding a line like :

# color calibration device
ENV{COLOR_MEASUREMENT_DEVICE}=="1", ENV{ACL_MANAGE}="1"

-- 
Frederic Crozat

Other related posts: