Fedora Linux Support Community & Resources Center

Go Back   FedoraForum.org > Fedora 19/20 > Security and Privacy
FedoraForum Search

Forgot Password? Join Us!

Security and Privacy Sadly, malware, spyware, hackers and privacy threats abound in today's world. Let's be paranoid and secure our penguins, and slam the doors on privacy exploits.

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 10th January 2008, 01:37 AM
puterboy Offline
Registered User
 
Join Date: Nov 2007
Posts: 9
Access to devices without console login

I would like to be able to access various devices (and the programs that use them) remotely when I am not able to log in to the console. For example, if I want to use vlc to stream video from my tv card then I need access to /dev/video1.

I'm just not sure what is the best way to do this. Of course, I could each time use brute force to give myself ownership of the device but that's ugly and it requires root access each time. Also, it needs to be done manually each time since permissions are reset when someone logs in to the console or at reboot.

I'm sure I could also play with the udev scripts to give myself more permanent permission but that too is pretty brute force.

In the past, I wrote a script to put my user name in /var/run/console/console.lock and then ran /sbin/pam_console_apply but that is still a bit of a brute force kluge.

So, I was wondering whether there is a better way, perhaps using the hal acl functionality. I would be interested in how to both give myself fine-grain access to individual devices and also how to give myself blanket console-like access to the devices (as if I were logged in at the console).

I am running FC8.

Thanks!
Reply With Quote
  #2  
Old 17th January 2008, 04:19 PM
puterboy Offline
Registered User
 
Join Date: Nov 2007
Posts: 9
Anybody able to help me here or am I just posting in the wrong forum...
Reply With Quote
  #3  
Old 17th January 2008, 04:24 PM
jrummy27 Offline
Registered User
 
Join Date: May 2007
Location: Raleigh, NC
Age: 30
Posts: 304
In my opinion, udev is the best way to do this and this is one of the purposes it is designed for. Writing udev rules is quite simple, and for permissions issues usually can be as short as something like this in /etc/udev/50-udev.rules:

KERNEL=="video1" OWNER="myuser" GROUP="mygroup" MODE="0660"
__________________
"Ooh, they have the internet on computers now" -Homer
Reply With Quote
  #4  
Old 17th January 2008, 04:32 PM
puterboy Offline
Registered User
 
Join Date: Nov 2007
Posts: 9
Yes and thanks - I am aware of how to do it in udev but my concern is that I am then basically "hardwiring" in a specific owner/group/mode configuration that will overwrite the more general default one. That for example may work for me when I am trying to access the video device remotely, but presumably would screw someone else who later tries to log in from the console.

Based on googling, it seems like the hal/acl stuff may offer the ability to give broader and more granular control but I couldn't find any good writeups at the level of detail I need. Also, before mucking with security stuff, I would like to make sure that I am taking the right approach.

So I was hoping for a more "elegant" and "flexible" approach, but if one doesn't exist, I will probably have to use udev similar to how you suggest.
Reply With Quote
  #5  
Old 17th January 2008, 05:38 PM
jrummy27 Offline
Registered User
 
Join Date: May 2007
Location: Raleigh, NC
Age: 30
Posts: 304
I guess I am not understanding what goal you wish to accomplish...You can't access a device over vnc but can from the terminal as the same user? That shouldn't be. Logging in through vnc gives you the same rights/permissions as logging in locally.

As long as your udev rule gives broader permissions that the original policy then nothing will have a problem. So if owner is root:root and permissions are 600, then if you make it myuser:mygroup 660 nothing that needs access will have a problem.

As far as hal/acl stuff I have no experience with that so can't comment.
__________________
"Ooh, they have the internet on computers now" -Homer
Reply With Quote
  #6  
Old 17th January 2008, 06:10 PM
puterboy Offline
Registered User
 
Join Date: Nov 2007
Posts: 9
Quote:
Originally Posted by jrummy27
I guess I am not understanding what goal you wish to accomplish...You can't access a device over vnc but can from the terminal as the same user? That shouldn't be. Logging in through vnc gives you the same rights/permissions as logging in locally.
I was talking about VLC (not VNC). I use VLC to stream multimedia over my lan. I typically access it (to start/stop a stream for example) via ssh. But logging in via ssh does not set console permissions (which I believe is done through some combination of pam and hal/acl stuff)

Quote:
As long as your udev rule gives broader permissions that the original policy then nothing will have a problem. So if owner is root:root and permissions are 600, then if you make it myuser:mygroup 660 nothing that needs access will have a problem.
True, but I would prefer not to create "broader" permissions if not necessary. On the contrary, I would prefer to be as GRANULAR as possible in granting permissions. Call me paranoid

Quote:
As far as hal/acl stuff I have no experience with that so can't comment.
Me neither But I truly APPRECIATE your attempt to help me here...
Reply With Quote
  #7  
Old 17th January 2008, 06:12 PM
jrummy27 Offline
Registered User
 
Join Date: May 2007
Location: Raleigh, NC
Age: 30
Posts: 304
Quote:
I was talking about VLC (not VNC).
My bad, /me reads closer this time and now it makes sense.
__________________
"Ooh, they have the internet on computers now" -Homer
Reply With Quote
Reply

Tags
access, console, devices, login

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Fedora 11 ldap gui login/logon fails (console login works) skotay Using Fedora 2 12th June 2009 09:04 PM
Unable to login via KDE GUI, only console login available Query Using Fedora 4 24th April 2009 04:56 PM
upgraded to fc9 can't login at graphic screen but can login from a console clutch Installation, Upgrades and Live Media 6 14th September 2008 03:11 PM


Current GMT-time: 05:29 (Friday, 25-04-2014)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat