![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
udev rules
2018-12-30 16:37It's pretty common to add a udev rule in /etc/udev/rules.d/ for new hardware.
There are two ways of granting access, using groups and permissions, and using systemd's uaccess tag.
Here's an example showing groups and permissions. Anyone in the "users" group can access the switch, but only those in the "eng" (engineering) group can flash the switch. This is a pretty common arrangement for hardware development teams:
# /etc/udev/rules.d/77-northbound-networks.rules
# Northbound Networks
# Zodiac FX OpenFlow switch
ATTRS{idVendor}=="03eb", ATTRS{idProduct}=="2404", ENV{ID_MM_DEVICE_IGNORE}="1", GROUP="users", MODE="0660", SYMLINK+="ttyzodiacfx"
# Zodiac FX OpenFlow switch after flash "erase"
# The Atmel SAM4E Cortex-M4F CPU is running a bootloader waiting for software
# download via USB and the SAM-BA tool (the CPU is Atmel part ATSAM4E8C-AU,
# use board description "at91sam4e8-ek").
ATTRS{idVendor}=="03eb", ATTRS{idProduct}=="6124", ENV{ID_MM_DEVICE_IGNORE}="1", GROUP="eng", MODE="0660", SYMLINK+="ttyat91sam4e8-ek"
# Atmel-ICE Basic JTAG
ATTRS{idVendor}=="03eb", ATTRS{idProduct}=="2141", MODE="664", GROUP="eng"
Here's an example for a Yubikey, Any seated user can access the Ybukey:
# /etc/udev/rules.d/69-u2f.rules
# Yubico YubiKey
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0113|0114|0115|0116|0120|0200|0402|0403|0406|0407|0410", TAG+="uaccess"
Note that this file must run before /usr/lib/udev/rules.d/73-seat-late.rules.
Also, the systemd developers have tried to abstract the rules a little, making them more declarative and less procedural (alawys a good design rule). Of course, they haven't documented this (never a good design practice). See the file /lib/udev/rules.d/70-uaccess.rules and look for the ID_ variables. So the Yubikey example could have been:
# /etc/udev/rules.d/69-u2f.rules
# Yubico YubiKey
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0113|0114|0115|0116|0120|0200|0402|0403|0406|0407|0410", ENV{ID_SECURITY_TOKEN}="1"
If you want only seated users accessing the device then use the uaccess tag. If you want users remotely accessing the machine to use the device, then you use a group and permissions.