group access to local devices on shared networked machines

Patrick Goetz pgoetz at mail.utexas.edu
Fri May 8 15:28:31 UTC 2009


> Date: Tue, 05 May 2009 11:17:04 +0100
> From: Scott James Remnant <scott at canonical.com>
> Subject: Re: Usev permissions and USB scanners

> On Sun, 2009-05-03 at 16:16 +0300, kohen.d at gmail.com wrote:

> > I created a usbdev group and added my user to that group, added a
> > group setting to that line instead of the recommended  mode change,
> > and my scanner works,

> We prefer not to use groups in this way.
> Instead we use ACLs on devices such as scanners so that logged in
> console users can directly access the device without needing to be in
> any special group.
> Further access can be granted through the "Authorizations" tool.


Hi -

Would anyone care to elaborate on this, as we brought this up with
Canonical support well over a year ago for Hardy and no good solution
was offered at that time (so we came up with our own).

The problem:  how to provide access to, say, local optical drives to
incidental ldap users who aren't automatically in the device groups
since they're not local users.

Our solution was to use pam.  By adding these lines to the
/etc/security/group.conf file:

   *;:0|tty*&!ttyp*;*;Al0000-2400;dialout,dip,audio,video
   *;*;*;Al0000-2400;cdrom,floppy,scanner,plugdev,storage,vboxusers,fuse

console users are added, for example, to the audio/video groups while
anyone who logs in from anywhere is added to the cdrom/scanner groups
(this allows users to use the scanners and optical devices remotely).

I'm most curious to know if there is now a better way of providing this
functionality to network users.





More information about the Ubuntu-devel-discuss mailing list