[Techtalk] Changing ownership of devices

jas at spamcop.net jas at spamcop.net
Wed Sep 10 19:59:55 EST 2003 

Quoting Maria Blackmore <mariab at cats.meow.at>:

> On Tue, 9 Sep 2003, Conor Daly wrote:
> 
> > I know there's an answer to this somewhere...
> 
> There's always an answer :)
> 
> > I have a scanner on /dev/sg0.  If I log in in X, I can use the scanner via
> > xsane.  Now, if I log out and log in again via ssh, I suddenly cannot use
> > the scanner.  It turns out that the ownership of /dev/sg0 has changed.
> > When I was logged in locally, it was:
> >
> > crw------- 1 cdaly root 21,   0 Aug 30  2001 /dev/sg0
> >
> > when I logged out and came back in via ssh it was:
> >
> > crw------- 1 root root 21,   0 Aug 30  2001 /dev/sg0
> 
> This seems very bizarre to me, the device should never be owned by anyone
> other than root.

RedHat takes a slightly different approach: I/O peripherals like that should be
owned by whoever is at the console. If user 'maria' logs in at the console
(including X) then maria gets ownership of these devices; when she logs out,
ownership is returned to root.

> The "right" way to do this is to leave the device owned by root, but
> change the group.  Make a new group just for scanners or re-use a group
> for something else, and add your user to it.  chown the sg0 device to have
> the group set to the one you wish to use to control access to the
> scanner, then all you need to do is give the group access to the device,
> with 660 for example.

The problem with this (and presumably the reason RedHat don't do it) is that
members of this group then have access to devices being used by other members of
the group. If we're both authorized scanner users, I can then read whatever you
scan in...

> > I had this sort of issue over sound devices in the past and I seem to
> > remember something about changing a pam setting.  Does anyone know?
> 
> uhm, not sure what would be doing this.
> 
> I don't think I like the sound of it :/

It's a PAM module, which hooks console logins and logouts. I don't have a RedHat
system handy to check, but looking at the PAM stuff in /etc would be a good
place to start.


James.

More information about the Techtalk mailing list