-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi all,
I should want to package a software which need access to /dev/ttyS? and /dev/parport?
By default, single user can't access to these devices. Only root user can access them, only uucp group can access to /dev/ttyS? and lp group can access /dev/parport?
What should I do to allow the program to access these devices?
Regards
- -- Alain PORTAL -- Service Commun de Microscopie Électronique Université de Montpellier II -- Case Courrier 087 Place Eugène Bataillon -- 34095 Montpellier Cedex 05 Tél. : 04 67 14 37 35 -- Fax. : 04 67 14 37 37
NO WORD ATTACHMENTS: http://www.fsf.org/philosophy/no-word-attachments.fr.html http://www.giromini.org/usenet-fr/repondre.html
Alain PORTAL wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi all,
I should want to package a software which need access to /dev/ttyS? and /dev/parport?
By default, single user can't access to these devices. Only root user can access them, only uucp group can access to /dev/ttyS? and lp group can access /dev/parport?
What should I do to allow the program to access these devices?
Regards
let the program run as user <myuser> put <myuser> in group lp and uucp in /etc/group
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Le jeudi 14 Octobre 2004 16:15, Harald Hoyer a écrit :
let the program run as user <myuser>
Is it really a good idea?
put <myuser> in group lp and uucp in /etc/group
How can I add (and remove) <myuser> through %post and %preun scripts ?
Regards. - -- Alain PORTAL -- Service Commun de Microscopie Électronique Université de Montpellier II -- Case Courrier 087 Place Eugène Bataillon -- 34095 Montpellier Cedex 05 Tél. : 04 67 14 37 35 -- Fax. : 04 67 14 37 37
NO WORD ATTACHMENTS: http://www.fsf.org/philosophy/no-word-attachments.fr.html http://www.giromini.org/usenet-fr/repondre.html
Harald Hoyer wrote:
let the program run as user <myuser> put <myuser> in group lp and uucp in /etc/group
I think the program is a client application, not a server. Thus we can't really have it run as another user.
I guess it's possible for a client application to use the serial ports, isn't it ? So how can we do that ?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Le samedi 16 Octobre 2004 11:06, Aurelien Bompard a écrit :
Harald Hoyer wrote:
let the program run as user <myuser> put <myuser> in group lp and uucp in /etc/group
I think the program is a client application, not a server. Thus we can't really have it run as another user.
I guess it's possible for a client application to use the serial ports, isn't it ? So how can we do that ?
Nobody has any idea?
- -- Alain PORTAL -- Service Commun de Microscopie Électronique Université de Montpellier II -- Case Courrier 087 Place Eugène Bataillon -- 34095 Montpellier Cedex 05 Tél. : 04 67 14 37 35 -- Fax. : 04 67 14 37 37
NO WORD ATTACHMENTS: http://www.fsf.org/philosophy/no-word-attachments.fr.html http://www.giromini.org/usenet-fr/repondre.html
On Wed, 2004-10-20 at 09:44 +0200, Alain PORTAL wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Le samedi 16 Octobre 2004 11:06, Aurelien Bompard a écrit :
Harald Hoyer wrote:
let the program run as user <myuser> put <myuser> in group lp and uucp in /etc/group
I think the program is a client application, not a server. Thus we can't really have it run as another user.
I guess it's possible for a client application to use the serial ports, isn't it ? So how can we do that ?
Nobody has any idea?
So is it a client or a server application? If it's a client application, all users who want to use it must have the permissions, either by belonging to a special group or /etc/security/console.perms trickeries. If it's a server application, you could let it be run by e.g. the "myserverapp" user (with an exemplary uid/gid of 450 -- I don't know whom you should ask to get a fixed well known one assigned for FC) which would get added/removed like this in packages:
%post # Don't fail if user/group already exist groupadd -g 450 myserverapp || : useradd -u 450 -g 450 -G uucp,lp myserverapp -d /usr/lib/myserverapp || :
%postun if [ "$1" = "0" ]; then userdel -r myserverapp || : groupdel -r myserverapp || : fi
HTH, Nils
Hi Nils, thanks for your answer.
Le mercredi 20 Octobre 2004 11:32, Nils Philippsen a écrit :
So is it a client or a server application?
Perhaps I need to tell more about this application: this is an IDE for the developpement of Microchip PIC based applications. This IDE also can program chip devices through serial or paralell ports programmers. http://pikdev.free.fr/ So, logged user need to access to the serial/paralell ports in RW mode. We should consider that is a client application.
If it's a client application, all users who want to use it must have the permissions, either by belonging to a special group or /etc/security/console.perms trickeries.
Create a special group doesn't seem to me a good idea because if a new user is added after the package installation, he won't belong to the new group and administrator will need to add him manually. I prefer a solution where all users can use the application by default.
So, using /etc/security/console.perms seems the best way. Here is my purposal:
# device classes <serialport>=/dev/ttyS[0-9] <paralellport>=/dev/parport[0-7]
# permission definitions <console> 0600 <serialport> 0660 root.uucp <console> 0600 <paralellport> 0660 root.lp
Does it seem right for you?
How can I add/remove these lines via rpm (un)installation?
If it's a server application, you could let it be run by e.g. the "myserverapp" user (with an exemplary uid/gid of 450 -- I don't know whom you should ask to get a fixed well known one assigned for FC) which would get added/removed like this in packages:
%post # Don't fail if user/group already exist groupadd -g 450 myserverapp || : useradd -u 450 -g 450 -G uucp,lp myserverapp -d /usr/lib/myserverapp || :
%postun if [ "$1" = "0" ]; then userdel -r myserverapp || : groupdel -r myserverapp || : fi
" || : " is the way to don't fail?
Regards.
Le mercredi 20 octobre 2004 à 13:48 +0200, Alain PORTAL a écrit :
Hi Nils, thanks for your answer.
Le mercredi 20 Octobre 2004 11:32, Nils Philippsen a écrit :
So is it a client or a server application?
Perhaps I need to tell more about this application: this is an IDE for the developpement of Microchip PIC based applications. This IDE also can program chip devices through serial or paralell ports programmers. http://pikdev.free.fr/ So, logged user need to access to the serial/paralell ports in RW mode. We should consider that is a client application.
If it's a client application, all users who want to use it must have the permissions, either by belonging to a special group or /etc/security/console.perms trickeries.
Create a special group doesn't seem to me a good idea because if a new user is added after the package installation, he won't belong to the new group and administrator will need to add him manually. I prefer a solution where all users can use the application by default.
So, using /etc/security/console.perms seems the best way. Here is my purposal:
# device classes <serialport>=/dev/ttyS[0-9] <paralellport>=/dev/parport[0-7]
# permission definitions <console> 0600 <serialport> 0660 root.uucp <console> 0600 <paralellport> 0660 root.lp
Does it seem right for you?
How can I add/remove these lines via rpm (un)installation?
With Perl, sed ...
Personally, I don't like that third party package touch security files. Put some instructions in README or INSTALL file and let the administrator do his job :-)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Le mercredi 20 Octobre 2004 14:16, Matias Féliciano a écrit :
So, using /etc/security/console.perms seems the best way. Here is my purposal:
# device classes <serialport>=/dev/ttyS[0-9] <paralellport>=/dev/parport[0-7]
# permission definitions <console> 0600 <serialport> 0660 root.uucp <console> 0600 <paralellport> 0660 root.lp
Does it seem right for you?
How can I add/remove these lines via rpm (un)installation?
With Perl, sed ...
Hhmm, not really my cup of tea :-)
Personally, I don't like that third party package touch security files. Put some instructions in README or INSTALL file and let the administrator do his job :-)
Problem is: is "administrator" reading README or INSTALL files provided by a rpm package?
First, could you confirm that lines I want to put in the file are right?
I manually edit the file to try, logout, and try login but it fails. I am unable to login as a normal user (bigs problems with X), only login as root.
- -- Alain PORTAL -- Service Commun de Microscopie Électronique Université de Montpellier II -- Case Courrier 087 Place Eugène Bataillon -- 34095 Montpellier Cedex 05 Tél. : 04 67 14 37 35 -- Fax. : 04 67 14 37 37
NO WORD ATTACHMENTS: http://www.fsf.org/philosophy/no-word-attachments.fr.html http://www.giromini.org/usenet-fr/repondre.html
Le mercredi 20 octobre 2004 à 16:46 +0200, Alain PORTAL a écrit :
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Le mercredi 20 Octobre 2004 14:16, Matias Féliciano a écrit :
So, using /etc/security/console.perms seems the best way. Here is my purposal:
# device classes <serialport>=/dev/ttyS[0-9] <paralellport>=/dev/parport[0-7]
# permission definitions <console> 0600 <serialport> 0660 root.uucp <console> 0600 <paralellport> 0660 root.lp
Does it seem right for you?
How can I add/remove these lines via rpm (un)installation?
With Perl, sed ...
Hhmm, not really my cup of tea :-)
Personally, I don't like that third party package touch security files. Put some instructions in README or INSTALL file and let the administrator do his job :-)
Problem is: is "administrator" reading README or INSTALL files provided by a rpm package?
Add a warning : - /dev/ttyS? : Permission denied, more information in /usr/share/doc/<pkgname>-pkgversion>/README
First, could you confirm that lines I want to put in the file are right?
Seems OK.
I manually edit the file to try, logout, and try login but it fails.
Check if you _really_ have the console. # cat /var/run/console/console.lock (for FC3t3).
I had some troubles with pam_console in fc3t2. Seems to work as expected now (fc3t3).
The documentation : $ man pam_console When a user logs in at the console and __no other user is currently logged in at the console__, pam_console.so will change permissions and ownership of files as described in the file /etc/security/con- sole.perms.
I am unable to login as a normal user (bigs problems with X), only login as root.
????
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Problem is: is "administrator" reading README or INSTALL files provided by a rpm package?
Add a warning :
- /dev/ttyS? : Permission denied, more information in
/usr/share/doc/<pkgname>-pkgversion>/README
In %description?
First, could you confirm that lines I want to put in the file are right?
Seems OK.
I manually edit the file to try, logout, and try login but it fails.
Check if you _really_ have the console.
Yes, I have.
# cat /var/run/console/console.lock (for FC3t3).
[root@dionysos alain]# cat /var/run/console.lock alain [root@dionysos alain]# cat /var/run/console/alain 1
I had some troubles with pam_console in fc3t2. Seems to work as expected now (fc3t3).
The documentation : $ man pam_console When a user logs in at the console and __no other user is currently logged in at the console__, pam_console.so will change permissions and ownership of files as described in the file /etc/security/con- sole.perms.
I am unable to login as a normal user (bigs problems with X), only login as root.
????
Sorry, I really unable to explain in english all problems I had.
I was graphically login (kde) as normal user. I opened a filemanager as root to open the /etc/security/console.perms file. I made the change and save file. I logout. I try to login as normal user but it fails, X didn't want to start and here is the message I saw (sorry, in french) : " Un serveur X est déjà lancé sur le visuel :0. Est-ce que je dois essayer un autre visuel ? Si vous répondez non, j'essayerai de démarrer le szerveur sur :0 une nouvelle fois. (Vous pouvez afficher différentes consoles en utilisant Ctrl+Alt et une touche de fonction Fn, etc)" One time I said yes, other time I said no, but I had the same result, unable to start X. If I try to login as root, I succeed. Finally, I had to comment the permissions definitions I added and reboot. I had also to delete /tmp/.X?-lock.
- -- Alain PORTAL -- Service Commun de Microscopie Électronique Université de Montpellier II -- Case Courrier 087 Place Eugène Bataillon -- 34095 Montpellier Cedex 05 Tél. : 04 67 14 37 35 -- Fax. : 04 67 14 37 37
NO WORD ATTACHMENTS: http://www.fsf.org/philosophy/no-word-attachments.fr.html http://www.giromini.org/usenet-fr/repondre.html
Le mercredi 20 octobre 2004 à 18:24 +0200, Alain PORTAL a écrit :
Add a warning :
- /dev/ttyS? : Permission denied, more information in
/usr/share/doc/<pkgname>-pkgversion>/README
In %description?
Why not.
The application should popup the warning _when_ the application (already installed) failed to access /dev/ttyS? . Something like : if ((fd = open("/dev/ttyS0", ...)) == EACCES) { msg_popup("/dev/ttyS0 : Permission denied, more information in /usr/share/doc/<pkgname>-<pkgversion>/README") ; }
With this, you are sure that the README will be read (if needed).
I was graphically login (kde) as normal user. I opened a filemanager as root to open the /etc/security/console.perms file.
Is /etc/security/console.perms still world readable ?
I made the change and save file. I logout. I try to login as normal user but it fails, X didn't want to start and here is the message I saw (sorry, in french) : " Un serveur X est déjà lancé sur le visuel :0. Est-ce que je dois essayer un autre visuel ? Si vous répondez non, j'essayerai de démarrer le szerveur sur :0 une nouvelle fois. (Vous pouvez afficher différentes consoles en utilisant Ctrl+Alt et une touche de fonction Fn, etc)" One time I said yes, other time I said no, but I had the same result, unable to start X. If I try to login as root, I succeed. Finally, I had to comment the permissions definitions I added and reboot. I had also to delete /tmp/.X?-lock.
I can't really help here. Sorry.
Get the original console.perms : rpm2cpio pam-...i386.rpm | cpio -iv -m -d ./etc/security/console.perms
Do a diff with your console.perms and check if there is sometime wrong.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi,
Le mercredi 20 Octobre 2004 18:44, Matias Féliciano a écrit :
Le mercredi 20 octobre 2004 à 18:24 +0200, Alain PORTAL a écrit :
Add a warning :
- /dev/ttyS? : Permission denied, more information in
/usr/share/doc/<pkgname>-pkgversion>/README
In %description?
Why not.
The application should popup the warning _when_ the application (already installed) failed to access /dev/ttyS? . Something like : if ((fd = open("/dev/ttyS0", ...)) == EACCES) { msg_popup("/dev/ttyS0 : Permission denied, more information in /usr/share/doc/<pkgname>-<pkgversion>/README") ; }
With this, you are sure that the README will be read (if needed).
OK.
I was graphically login (kde) as normal user. I opened a filemanager as root to open the /etc/security/console.perms file.
Is /etc/security/console.perms still world readable ?
Yes.
I made the change and save file. I logout. I try to login as normal user but it fails, X didn't want to start and here is the message I saw (sorry, in french) : " Un serveur X est déjà lancé sur le visuel :0. Est-ce que je dois essayer un autre visuel ? Si vous répondez non, j'essayerai de démarrer le szerveur sur :0 une nouvelle fois. (Vous pouvez afficher différentes consoles en utilisant Ctrl+Alt et une touche de fonction Fn, etc)" One time I said yes, other time I said no, but I had the same result, unable to start X. If I try to login as root, I succeed. Finally, I had to comment the permissions definitions I added and reboot. I had also to delete /tmp/.X?-lock.
I can't really help here. Sorry.
Get the original console.perms : rpm2cpio pam-...i386.rpm | cpio -iv -m -d ./etc/security/console.perms
Do a diff with your console.perms and check if there is sometime wrong.
Nothing wrong, the only difference I saw is the one I made. I renounce this solution. Administrator would have to add users in lp and uucp groups.
Thanks for all your answers. Regards.
- -- Alain PORTAL -- Service Commun de Microscopie Électronique Université de Montpellier II -- Case Courrier 087 Place Eugène Bataillon -- 34095 Montpellier Cedex 05 Tél. : 04 67 14 37 35 -- Fax. : 04 67 14 37 37
NO WORD ATTACHMENTS: http://www.fsf.org/philosophy/no-word-attachments.fr.html http://www.giromini.org/usenet-fr/repondre.html
Le jeudi 14 octobre 2004 à 16:11 +0200, Alain PORTAL a écrit :
Hi all,
I should want to package a software which need access to /dev/ttyS? and /dev/parport?
By default, single user can't access to these devices. Only root user can access them, only uucp group can access to /dev/ttyS? and lp group can access /dev/parport?
What should I do to allow the program to access these devices?
Use : /etc/udev/permissions.d/ /etc/security/console.perms
Regards
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Le jeudi 14 Octobre 2004 16:18, Matias Féliciano a écrit :
Use : /etc/udev/permissions.d/
I don't have this directory. Could you tell me more?
Regards. - -- Alain PORTAL -- Service Commun de Microscopie Électronique Université de Montpellier II -- Case Courrier 087 Place Eugène Bataillon -- 34095 Montpellier Cedex 05 Tél. : 04 67 14 37 35 -- Fax. : 04 67 14 37 37
NO WORD ATTACHMENTS: http://www.fsf.org/philosophy/no-word-attachments.fr.html http://www.giromini.org/usenet-fr/repondre.html
-
Alain PORTAL -
Aurelien Bompard -
Féliciano Matias -
Harald Hoyer -
Nils Philippsen