Главная » Linux

Linux open device permissions

Содержание
  1. Pd Community Site
  2. How can I set permissions to read HID devices on GNU/Linux?
  3. More Security
  4. Check
  5. Notes
  6. Thread: USB Device Permissions
  7. USB Device Permissions
  8. Re: USB Device Permissions
  9. Re: USB Device Permissions
  10. Re: USB Device Permissions
  11. Re: USB Device Permissions
  12. Re: USB Device Permissions
  13. Re: USB Device Permissions
  14. Understanding Linux File Permissions
  15. Permission Types
  16. Explicitly Defining Permissions
  17. Using Binary References to Set permissions
  18. Linux Tutorial — 8. Permissions
  19. Permissions!
  20. Introduction
  21. So what are they?
  22. View Permissions
  23. Change Permissions
  24. Setting Permissions Shorthand
  25. Permissions for Directories
  26. The root user
  27. Basic Security
  28. Summary
  29. Activities

Pd Community Site

Разделы
Персональные инструменты

Running a non-system process as root is considered a security risk, so an alternative is to change the permissions of the input devices so that pd can read them.

Локальные ресурсы
Действия с Документом

How can I set permissions to read HID devices on GNU/Linux?

The Pd-extended [hid] object allows you to access Human Interface Devices such as mice, keyboards, and joysticks. However, in most Linux distributions, these devices are setup to where they cannot be read directly by Pd unless you run it as root.

Running a non-system process as root is considered a security risk, so an alternative is to change the permissions of the input devices so that pd can read them.

This guide has been tested on Ubuntu 9.10 Karmic. Please update and add an addendums for newer versions.

The fix is to write a udev rule opening permissions. Udev is a system daemon that creates the device tree in /dev as devices are added and removed based on a set of rules.

Following the Debian udev rules naming policy, create our rule for pd in /etc/udev/rules.d/85-pure-data.rules:

Note: This is the Debian/Ubuntu location. Check your distribution for where it puts udev rules.

Now add the following rules to /etc/udev/rules.d/85-pure-data.rules:

Note: each udev rule must on a single line. Use only spaces, no tabs. Lines that start with `#` are comments.

This rule sets the permissions to 666 for input devices. Reboot your machine and the HID object should now be able to open them.

More Security

Setting input devices to 666 also opens the chance for someone to read your keyboard and mouse input. If you feel this is a security risk, try swapping MODE=»666″ with the following:

Then create an «input» group and add yourself to it:

This will add any input devices to the input group and only users you add to this this group can then read them. Reboot your machine for the rules to take effect.

Check

Here I used the more secure approach and you can see the event and mouse devices are marked rw for both users and groups.

Notes

If the rule dosen’t seem to work, you can run a udev test to see if it’s being read and if there are any errors. Run the test using an input device:

Check out the udev tutorial on how to create more detailed rules. It’s actually pretty easy once you get the hang of it. Mainly, use the following command to get a list of attributes to match to your target device wehn you plug it in or remove it, then use them to create a new rule:

Источник

Thread: USB Device Permissions

Thread Tools
Display

USB Device Permissions

I’m writing a python app using pyusb which needs access to a USB device (it’s a data logger with no linux driver). The python script works but have to run it as root to give it access to the USB Device.

Does anyone know how to change the permissions to allow my user full access to the device (and ideally but less importantly allow the virtualbox user full access).

Re: USB Device Permissions

Re: USB Device Permissions

Donґt know if i get right your question but what if you do chmod 775 (read execute) or chmod 777 (read write execute)and then the path to the usb?

Re: USB Device Permissions

Last edited by kostaben; December 3rd, 2009 at 01:17 PM .

Re: USB Device Permissions

Thanks for the reply, do you know how I find the path to the relevant USB device?

Re: USB Device Permissions

if you right click on the usb and choose properties, you can find it in there. Should be in /media but i am not sure and i dont have a linux machine here.

Re: USB Device Permissions

Thanks, think is it’s not a mass storage device or similar. It’s a data logger (made by Lascar) and there aren’t any linux drivers for it. I used SnoopyPro in windows to see which commands are sent to it when various operations are performed on it and then pyusb in Python to simulate these commands under linux. The script works great but can only access the USB device if run using sudo. Because the script is going to be built into a much larger project it isn’t feasable to just run the whole thing as root so I need to allow the logged in user access to the device if that makes any sense!

Источник

Understanding Linux File Permissions

Although there are already a lot of good security features built into Linux-based systems, one very important potential vulnerability can exist when local access is granted – – that is file permission based issues resulting from a user not assigning the correct permissions to files and directories. So based upon the need for proper permissions, I will go over the ways to assign permissions and show you some examples where modification may be necessary.

Basic File Permissions

Permission Groups

Each file and directory has three user based permission groups:

  • owner – The Owner permissions apply only the owner of the file or directory, they will not impact the actions of other users.
  • group – The Group permissions apply only to the group that has been assigned to the file or directory, they will not effect the actions of other users.
  • all users – The All Users permissions apply to all other users on the system, this is the permission group that you want to watch the most.

Permission Types

Each file or directory has three basic permission types:

  • read – The Read permission refers to a user’s capability to read the contents of the file.
  • write – The Write permissions refer to a user’s capability to write or modify a file or directory.
  • execute – The Execute permission affects a user’s capability to execute a file or view the contents of a directory.
Читайте также:  Драйвер xerox workcentre 3119 для линукс

Viewing the Permissions

You can view the permissions by checking the file or directory permissions in your favorite GUI File Manager (which I will not cover here) or by reviewing the output of the “ls -l” command while in the terminal and while working in the directory which contains the file or folder.

The permission in the command line is displayed as: _rwxrwxrwx 1 owner:group

  1. User rights/Permissions
    1. The first character that I marked with an underscore is the special permission flag that can vary.
    2. The following set of three characters (rwx) is for the owner permissions.
    3. The second set of three characters (rwx) is for the Group permissions.
    4. The third set of three characters (rwx) is for the All Users permissions.
  2. Following that grouping since the integer/number displays the number of hardlinks to the file.
  3. The last piece is the Owner and Group assignment formatted as Owner:Group.

Modifying the Permissions

When in the command line, the permissions are edited by using the command chmod. You can assign the permissions explicitly or by using a binary reference as described below.

Explicitly Defining Permissions

To explicity define permissions you will need to reference the Permission Group and Permission Types.

The Permission Groups used are:

The potential Assignment Operators are + (plus) and – (minus); these are used to tell the system whether to add or remove the specific permissions.

The Permission Types that are used are:

  • r – Read
  • w – Write
  • x – Execute

So for an example, lets say I have a file named file1 that currently has the permissions set to _rw_rw_rw, which means that the owner, group and all users have read and write permission. Now we want to remove the read and write permissions from the all users group.

To make this modification you would invoke the command: chmod a-rw file1
To add the permissions above you would invoke the command: chmod a+rw file1

As you can see, if you want to grant those permissions you would change the minus character to a plus to add those permissions.

Using Binary References to Set permissions

Now that you understand the permissions groups and types this one should feel natural. To set the permission using binary references you must first understand that the input is done by entering three integers/numbers.

A sample permission string would be chmod 640 file1, which means that the owner has read and write permissions, the group has read permissions, and all other user have no rights to the file.

The first number represents the Owner permission; the second represents the Group permissions; and the last number represents the permissions for all other users. The numbers are a binary representation of the rwx string.

You add the numbers to get the integer/number representing the permissions you wish to set. You will need to include the binary permissions for each of the three permission groups.

So to set a file to permissions on file1 to read _rwxr_____, you would enter chmod 740 file1.

Owners and Groups

I have made several references to Owners and Groups above, but have not yet told you how to assign or change the Owner and Group assigned to a file or directory.

You use the chown command to change owner and group assignments, the syntax is simplechown owner:group filename, so to change the owner of file1 to user1 and the group to family you would enter chown user1:family file1.

Advanced Permissions

The special permissions flag can be marked with any of the following:

  • _ – no special permissions
  • d – directory
  • l– The file or directory is a symbolic link
  • s – This indicated the setuid/setgid permissions. This is not set displayed in the special permission part of the permissions display, but is represented as a s in the read portion of the owner or group permissions.
  • t – This indicates the sticky bit permissions. This is not set displayed in the special permission part of the permissions display, but is represented as a t in the executable portion of the all users permissions

Setuid/Setgid Special Permissions

The setuid/setguid permissions are used to tell the system to run an executable as the owner with the owner’s permissions.

Be careful using setuid/setgid bits in permissions. If you incorrectly assign permissions to a file owned by root with the setuid/setgid bit set, then you can open your system to intrusion.

You can only assign the setuid/setgid bit by explicitly defining permissions. The character for the setuid/setguid bit is s.

So do set the setuid/setguid bit on file2.sh you would issue the command chmod g+s file2.sh.

Sticky Bit Special Permissions

The sticky bit can be very useful in shared environment because when it has been assigned to the permissions on a directory it sets it so only file owner can rename or delete the said file.

You can only assign the sticky bit by explicitly defining permissions. The character for the sticky bit is t.

To set the sticky bit on a directory named dir1 you would issue the command chmod +t dir1.

To some users of Mac- or Windows-based computers you don’t think about permissions, but those environments don’t focus so aggressively on user based rights on files unless you are in a corporate environment. But now you are running a Linux-based system and permission based security is simplified and can be easily used to restrict access as you please.

So I will show you some documents and folders that you want to focus on and show you how the optimal permissions should be set.

  • home directories– The users’ home directories are important because you do not want other users to be able to view and modify the files in another user’s documents of desktop. To remedy this you will want the directory to have the drwx______ (700) permissions, so lets say we want to enforce the correct permissions on the user user1’s home directory that can be done by issuing the command chmod 700 /home/user1.
  • bootloader configuration files– If you decide to implement password to boot specific operating systems then you will want to remove read and write permissions from the configuration file from all users but root. To do you can change the permissions of the file to 700.
  • system and daemon configuration files– It is very important to restrict rights to system and daemon configuration files to restrict users from editing the contents, it may not be advisable to restrict read permissions, but restricting write permissions is a must. In these cases it may be best to modify the rights to 644.
  • firewall scripts – It may not always be necessary to block all users from reading the firewall file, but it is advisable to restrict the users from writing to the file. In this case the firewall script is run by the root user automatically on boot, so all other users need no rights, so you can assign the 700 permissions.
Читайте также:  Запретить обновление windows 10 через файрвол

Other examples can be given, but this article is already very lengthy, so if you want to share other examples of needed restrictions please do so in the comments.

If you have anything to add or want to make a comment or correction please do so in the comments. I look forward to your feedback and wish you the best in your future with Linux-based systems.

Источник

Linux Tutorial — 8. Permissions

Permissions!

3 Letters to rule them all.

Introduction

Learn how Linux permissions work and how to set them effectively to enhance the security of your Linux system.

In this section we’ll learn about how to set Linux permissions on files and directories. Permissions specify what a particular person may or may not do with respect to a file or directory. As such, permissions are important in creating a secure environment. For instance you don’t want other people to be changing your files and you also want system files to be safe from damage (either accidental or deliberate). Luckily, permissions in a Linux system are quite easy to work with.

So what are they?

Linux permissions dictate 3 things you may do with a file, read, write and execute. They are referred to in Linux by a single letter each.

  • r read — you may view the contents of the file.
  • w write — you may change the contents of the file.
  • x execute — you may execute or run the file if it is a program or script.

For every file we define 3 sets of people for whom we may specify permissions.

  • owner — a single person who owns the file. (typically the person who created the file but ownership may be granted to some one else by certain users)
  • group — every file belongs to a single group.
  • others — everyone else who is not in the group or the owner.

Three persmissions and three groups of people. That’s about all there is to permissions really. Now let’s see how we can view and change them.

View Permissions

To view permissions for a file we use the long listing option for the command ls.

  1. ls -l /home/ryan/linuxtutorialwork/frog.png
  2. -rwxr—-x 1 harry users 2.7K Jan 4 07:32 /home/ryan/linuxtutorialwork/frog.png

In the above example the first 10 characters of the output are what we look at to identify permissions.

  • The first character identifies the file type. If it is a dash ( — ) then it is a normal file. If it is a d then it is a directory.
  • The following 3 characters represent the permissions for the owner. A letter represents the presence of a permission and a dash ( — ) represents the absence of a permission. In this example the owner has all permissions (read, write and execute).
  • The following 3 characters represent the permissions for the group. In this example the group has the ability to read but not write or execute. Note that the order of permissions is always read, then write then execute.
  • Finally the last 3 characters represent the permissions for others (or everyone else). In this example they have the execute permission and nothing else.

Change Permissions

To change permissions on a file or directory we use a command called chmod It stands for change file mode bits which is a bit of a mouthfull but think of the mode bits as the permission indicators.

chmod [permissions] [path]

chmod has permission arguments that are made up of 3 components

  • Who are we changing the permission for? [ugoa] — user (or owner), group, others, all
  • Are we granting or revoking the permission — indicated with either a plus ( + ) or minus ( — )
  • Which permission are we setting? — read ( r ), write ( w ) or execute ( x )

The following examples will make their usage clearer.

Grant the execute permission to the group. Then remove the write permission for the owner.

  1. ls -l frog.png
  2. -rwxr—-x 1 harry users 2.7K Jan 4 07:32 frog.png
  3. chmod g+x frog.png
  4. ls -l frog.png
  5. -rwxr-x—x 1 harry users 2.7K Jan 4 07:32 frog.png
  6. chmod u-w frog.png
  7. ls -l frog.png
  8. -r-xr-x—x 1 harry users 2.7K Jan 4 07:32 frog.png

Don’t want to assign permissions individually? We can assign multiple permissions at once.

  1. ls -l frog.png
  2. -rwxr—-x 1 harry users 2.7K Jan 4 07:32 frog.png
  3. chmod g+wx frog.png
  4. ls -l frog.png
  5. -rwxrwx—x 1 harry users 2.7K Jan 4 07:32 frog.png
  6. chmod go-x frog.png
  7. ls -l frog.png
  8. -rwxrw—- 1 harry users 2.7K Jan 4 07:32 frog.png

It may seem odd that as the owner of a file we can remove our ability to read, write and execute that file but there are valid reasons we may wish to do this. Maybe we have a file with data in it we wish not to accidentally change for instance. While we may remove these permissions, we may not remove our ability to set those permissions and as such we always have control over every file under our ownership.

Setting Permissions Shorthand

The method outlined above is not too hard for setting permissions but it can be a little tedious if we have a specific set of permissions we would like to apply regularly to certain files (scripts for instance that we’ll see in section 13). Luckily, there is a shorthand way to specify permissions that makes this easy.

To understand how this shorthand method works we first need a little background in number systems. Our typical number system is decimal. It is a base 10 number system and as such has 10 symbols (0 — 9) used. Another number system is octal which is base 8 (0-7). Now it just so happens that with 3 permissions and each being on or off, we have 8 possible combinations (2^3). Now we can also represent our numbers using binary which only has 2 symbols (0 and 1). The mapping of octal to binary is in the table below.

Читайте также:  Apache tomcat linux установка
Octal Binary
0 0 0 0
1 0 0 1
2 0 1 0
3 0 1 1
4 1 0 0
5 1 0 1
6 1 1 0
7 1 1 1

(To learn more about binary numbers check out our Binary Tutorial.)

Now the interesting point to note is that we may represent all 8 octal values with 3 binary bits and that every possible combination of 1 and 0 is included in it. So we have 3 bits and we also have 3 permissions. If you think of 1 as representing on and 0 as off then a single octal number may be used to represent a set of permissions for a set of people. Three numbers and we can specify permissions for the user, group and others. Let’s see some examples. (refer to the table above to see how they match)

  1. ls -l frog.png
  2. -rw-r—-x 1 harry users 2.7K Jan 4 07:32 frog.png
  3. chmod 751 frog.png
  4. ls -l frog.png
  5. -rwxr-x—x 1 harry users 2.7K Jan 4 07:32 frog.png
  6. chmod 240 frog.png
  7. ls -l frog.png
  8. —w-r—— 1 harry users 2.7K Jan 4 07:32 frog.png

People often remember commonly used number sequences for different types of files and find this method quite convenient. For example 755 or 750 are commonly used for scripts.

Permissions for Directories

The same series of permissions may be used for directories but they have a slightly different behaviour.

  • r — you have the ability to read the contents of the directory (ie do an ls)
  • w — you have the ability to write into the directory (ie create files and directories)
  • x — you have the ability to enter that directory (ie cd)

Let’s see some of these in action

  1. ls testdir
  2. file1 file2 file3
  3. chmod 400 testdir
  4. ls -ld testdir
  5. dr——— 1 ryan users 2.7K Jan 4 07:32 testdir
  6. cd testdir
  7. cd: testdir: Permission denied
  8. ls testdir
  9. file1 file2 file3
  10. chmod 100 testdir
  11. ls -ld testdir
  12. —x—— 1 ryan users 2.7K Jan 4 07:32 testdir
  13. ls testdir
  14. cd testdir
  15. pwd
  16. /home/ryan/testdir
  17. ls: cannot open directory testdir/: Permission denied

Note, on lines 5 and 14 above when we ran ls I included the -d option which stands for directory. Normally if we give ls an argument which is a directory it will list the contents of that directory. In this case however we are interested in the permissions of the directory directly and the -d option allows us to obtain that.

These permissions can seem a little confusing at first. What we need to remember is that these permissions are for the directory itself, not the files within. So, for example, you may have a directory which you don’t have the read permission for. It may have files within it which you do have the read permission for. As long as you know the file exists and it’s name you can still read the file.

  1. ls -ld testdir
  2. —x——- 1 ryan users 2.7K Jan 4 07:32 testdir
  3. cd testdir
  4. ls
  5. ls: cannot open directory .: Permission denied
  6. cat samplefile.txt
  7. Kyle 20
  8. Stan 11
  9. Kenny 37

The root user

On a Linux system there are only 2 people usually who may change the permissions of a file or directory. The owner of the file or directory and the root user. The root user is a superuser who is allowed to do anything and everything on the system. Typically the administrators of a system would be the only ones who have access to the root account and would use it to maintain the system. Typically normal users would mostly only have access to files and directories in their home directory and maybe a few others for the purposes of sharing and collaborating on work and this helps to maintain the security and stability of the system.

Basic Security

Your home directory is your own personal space on the system. You should make sure that it stays that way.

Most users would give themselves full read, write and execute permissions for their home directory and no permissions for the group or others however some people for various reasons may have a slighly different set up.

Normally, for optimal security, you should not give either the group or others write access to your home directory, but execute without read can come in handy sometimes. This allows people to get into your home directory but not allow them to see what is there. An example of when this is used is for personal web pages.

It is typical for a system to run a webserver and allow users to each have their own web space. A common set up is that if you place a directory in your home directory called public_html then the webserver will read and display the contents of it. The webserver runs as a different user to you however so by default will not have access to get in and read those files. This is a situation where it is necessary to grant execute on your home directory so that the webserver user may access the required resources.

Summary

Activities

Let’s play with some permissions.

  • First off, take a look at the permissions of your home directory, then have a look at the permissions of various files in there.
  • Now let’s go into your linuxtutorialwork directory and change the permissions of some of the files in there. Make sure you use both the shorthand and longhand form for setting permissions and that you also use a variety of absolute and relative paths. Try removing the read permission from a file then reading it. Or removing the write permission and then opening it in vi.
  • Let’s play with directories now. Create a directory and put some files into it. Now play about with removing various permissions from yourself on that directory and see what you can and can’t do.
  • Finally, have an explore around the system and see what the general permissions are for files in other system directories such as /etc and /bin

Источник

Оцените статью
© 2024 Советы по настройке компьютера