[Fedora Robotics] unified robots udev and policykit rules package

Rich Mattes richmattes at gmail.com
Fri Feb 4 18:50:36 UTC 2011 

On Fri, Feb 4, 2011 at 12:26 PM, Martin Langhoff <martin at laptop.org> wrote:

> On Fri, Feb 4, 2011 at 11:30 AM, Rich Mattes <richmattes at gmail.com> wrote:
> > The maintainence thing could be eased somewhat by creating a robotics
> group
>
> Yes -- it can be a package where all robotis-and-related packagers get
> access -- not sure if FAS does "group accounts".
>
> Right, I was thinking of the psuedo-accounts you can InitialCC in pkgdb to
forward commit messages and such.  I guess you'd still have to grant acls
individually to such a package.


> > There's a lot of different ways to access devices, so one solution
> probably
> > isn't going to work.  For example, the Arduino package now ships with a
> > policykit policy and a launcher that checks to see if your user is in the
> > requsite dialout and lock groups[1]
>
> That is interesting but very weird. As a user, why would I need to
> call an admin? Fedora and other distros are consolidating on the view
> that "user at the console" is the important criteria.
>

librxtx needs to write lockfiles to /var/lock/lockdev, which is owned by the
group "lock".  The /dev/ttyACM* and /dev/ttyUSB* files are all owned by
"dialout" by default.  The original Arduinos used an of-the-shelf FTDI chip,
so it probably wouldn't have been a great idea to ship a udev rule
re-assinging permissions based on vid/pid (i don't know if they had any
other unique attributes).  The new arduinos have their own vid/pid, but you
still have to worry about backwards compatibility for FTDI boards.  Udev
rules would only get you around the device node being owned by dialout,
write access to lock is still a problem.

If you're the "user at the console" on a single-user computer, you're
probably the admin to begin with.  And if your admin knows that he needs to
support users accessing serial ports, he might add users to the correct
groups ahead of time.  I can't think of a better way to go about it, my
knowledge of the *Kit frameworks is minimal.  I'll note that the prompt
indicating which groups you need to be a member of is a giant leap forward
from the upstream behavior of failing with a cryptic error message.


> > You can get by with a udev rule that sets the
> > camera to 0666.
>
> Um. I don't think 0666 access mode is a good idea.
>
>
>
Then set the GROUP to "users" or "video" and use 0660?  I'm pretty sure all
these robotics devices really need are the same permissions any webcam would
have(rw), and the people making these libraries generally aren't security
experts.


Rich
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/robotics/attachments/20110204/e5517a71/attachment.html

More information about the robotics mailing list