Moh*_*med 21 linux permissions block-device
我有一个读卡器连接在/dev/sdb.
我所做的是将所有权限授予所有者、组和世界其他地方,使用:
sudo chmod 777 /dev/sdb
我可以使用另一种组合,只允许所有者(我)使用读卡器吗?
只有一个用户帐户。
phe*_*mer 33
有多种方法可以实现这一点。
通常在大多数发行版中,块设备由特定组拥有。您需要做的就是将您的用户添加到该组中。
例如,在我的系统上:
# ls -l /dev/sdb
brw-rw---- 1 root disk 8, 16 2014/07/07-21:32:25 /dev/sdb
因此我需要将我的用户添加到disk组中。
# usermod -a -G disk patrick
这个想法是创建一个 udev 规则来在检测到设备时运行命令。
首先,您需要找到一种方法来识别设备。你用udevadm这个。例如:
# udevadm info -a -n /dev/sdb
Udevadm info starts with the device specified by the devpath and then
walks up the chain of parent devices. It prints for every device
found, all possible attributes in the udev rules key format.
A rule to match, can be composed by the attributes of the device
and the attributes from one single parent device.
looking at device '/devices/pci0000:00/0000:00:1d.0/usb1/1-1/1-1.3/1-1.3:1.0/host6/target6:0:0/6:0:0:0/block/sdb':
KERNEL=="sdb"
SUBSYSTEM=="block"
DRIVER==""
ATTR{ro}=="0"
ATTR{size}=="31116288"
ATTR{stat}==" 279 219 3984 1182 0 0 0 0 0 391 1182"
ATTR{range}=="16"
ATTR{discard_alignment}=="0"
ATTR{events}=="media_change"
ATTR{ext_range}=="256"
ATTR{events_poll_msecs}=="-1"
ATTR{alignment_offset}=="0"
ATTR{inflight}==" 0 0"
ATTR{removable}=="1"
ATTR{capability}=="51"
ATTR{events_async}==""
looking at parent device '/devices/pci0000:00/0000:00:1d.0/usb1/1-1/1-1.3/1-1.3:1.0/host6/target6:0:0/6:0:0:0':
KERNELS=="6:0:0:0"
SUBSYSTEMS=="scsi"
DRIVERS=="sd"
ATTRS{rev}=="0207"
ATTRS{type}=="0"
ATTRS{scsi_level}=="0"
ATTRS{model}=="STORAGE DEVICE "
ATTRS{state}=="running"
ATTRS{queue_type}=="none"
ATTRS{iodone_cnt}=="0x184"
ATTRS{iorequest_cnt}=="0x184"
ATTRS{device_busy}=="0"
ATTRS{evt_capacity_change_reported}=="0"
ATTRS{timeout}=="30"
ATTRS{evt_media_change}=="0"
ATTRS{max_sectors}=="240"
ATTRS{ioerr_cnt}=="0x2"
ATTRS{queue_depth}=="1"
ATTRS{vendor}=="Generic "
ATTRS{evt_soft_threshold_reached}=="0"
ATTRS{device_blocked}=="0"
ATTRS{evt_mode_parameter_change_reported}=="0"
ATTRS{evt_lun_change_reported}=="0"
ATTRS{evt_inquiry_change_reported}=="0"
ATTRS{iocounterbits}=="32"
ATTRS{eh_timeout}=="10"
looking at parent device '/devices/pci0000:00/0000:00:1d.0/usb1/1-1/1-1.3/1-1.3:1.0/host6/target6:0:0':
KERNELS=="target6:0:0"
SUBSYSTEMS=="scsi"
DRIVERS==""
looking at parent device '/devices/pci0000:00/0000:00:1d.0/usb1/1-1/1-1.3/1-1.3:1.0/host6':
KERNELS=="host6"
SUBSYSTEMS=="scsi"
DRIVERS==""
looking at parent device '/devices/pci0000:00/0000:00:1d.0/usb1/1-1/1-1.3/1-1.3:1.0':
KERNELS=="1-1.3:1.0"
SUBSYSTEMS=="usb"
DRIVERS=="usb-storage"
ATTRS{bInterfaceClass}=="08"
ATTRS{bInterfaceSubClass}=="06"
ATTRS{bInterfaceProtocol}=="50"
ATTRS{bNumEndpoints}=="02"
ATTRS{supports_autosuspend}=="1"
ATTRS{bAlternateSetting}==" 0"
ATTRS{bInterfaceNumber}=="00"
looking at parent device '/devices/pci0000:00/0000:00:1d.0/usb1/1-1/1-1.3':
KERNELS=="1-1.3"
SUBSYSTEMS=="usb"
DRIVERS=="usb"
ATTRS{bDeviceSubClass}=="00"
ATTRS{bDeviceProtocol}=="00"
ATTRS{devpath}=="1.3"
ATTRS{idVendor}=="05e3"
ATTRS{speed}=="480"
ATTRS{bNumInterfaces}==" 1"
ATTRS{bConfigurationValue}=="1"
ATTRS{bMaxPacketSize0}=="64"
ATTRS{busnum}=="1"
ATTRS{devnum}=="5"
ATTRS{configuration}==""
ATTRS{bMaxPower}=="500mA"
ATTRS{authorized}=="1"
ATTRS{bmAttributes}=="80"
ATTRS{bNumConfigurations}=="1"
ATTRS{maxchild}=="0"
ATTRS{bcdDevice}=="0207"
ATTRS{avoid_reset_quirk}=="0"
ATTRS{quirks}=="0x0"
ATTRS{serial}=="000000000207"
ATTRS{version}==" 2.00"
ATTRS{urbnum}=="1115"
ATTRS{ltm_capable}=="no"
ATTRS{manufacturer}=="Generic"
ATTRS{removable}=="unknown"
ATTRS{idProduct}=="0727"
ATTRS{bDeviceClass}=="00"
ATTRS{product}=="USB Storage"
looking at parent device '/devices/pci0000:00/0000:00:1d.0/usb1/1-1':
KERNELS=="1-1"
SUBSYSTEMS=="usb"
DRIVERS=="usb"
ATTRS{bDeviceSubClass}=="00"
ATTRS{bDeviceProtocol}=="01"
ATTRS{devpath}=="1"
ATTRS{idVendor}=="8087"
ATTRS{speed}=="480"
ATTRS{bNumInterfaces}==" 1"
ATTRS{bConfigurationValue}=="1"
ATTRS{bMaxPacketSize0}=="64"
ATTRS{busnum}=="1"
ATTRS{devnum}=="2"
ATTRS{configuration}==""
ATTRS{bMaxPower}=="0mA"
ATTRS{authorized}=="1"
ATTRS{bmAttributes}=="e0"
ATTRS{bNumConfigurations}=="1"
ATTRS{maxchild}=="6"
ATTRS{bcdDevice}=="0000"
ATTRS{avoid_reset_quirk}=="0"
ATTRS{quirks}=="0x0"
ATTRS{version}==" 2.00"
ATTRS{urbnum}=="61"
ATTRS{ltm_capable}=="no"
ATTRS{removable}=="unknown"
ATTRS{idProduct}=="0024"
ATTRS{bDeviceClass}=="09"
looking at parent device '/devices/pci0000:00/0000:00:1d.0/usb1':
KERNELS=="usb1"
SUBSYSTEMS=="usb"
DRIVERS=="usb"
ATTRS{bDeviceSubClass}=="00"
ATTRS{bDeviceProtocol}=="00"
ATTRS{devpath}=="0"
ATTRS{idVendor}=="1d6b"
ATTRS{speed}=="480"
ATTRS{bNumInterfaces}==" 1"
ATTRS{bConfigurationValue}=="1"
ATTRS{bMaxPacketSize0}=="64"
ATTRS{authorized_default}=="1"
ATTRS{busnum}=="1"
ATTRS{devnum}=="1"
ATTRS{configuration}==""
ATTRS{bMaxPower}=="0mA"
ATTRS{authorized}=="1"
ATTRS{bmAttributes}=="e0"
ATTRS{bNumConfigurations}=="1"
ATTRS{maxchild}=="3"
ATTRS{bcdDevice}=="0313"
ATTRS{avoid_reset_quirk}=="0"
ATTRS{quirks}=="0x0"
ATTRS{serial}=="0000:00:1d.0"
ATTRS{version}==" 2.00"
ATTRS{urbnum}=="26"
ATTRS{ltm_capable}=="no"
ATTRS{manufacturer}=="Linux 3.13.6-gentoo ehci_hcd"
ATTRS{removable}=="unknown"
ATTRS{idProduct}=="0002"
ATTRS{bDeviceClass}=="09"
ATTRS{product}=="EHCI Host Controller"
looking at parent device '/devices/pci0000:00/0000:00:1d.0':
KERNELS=="0000:00:1d.0"
SUBSYSTEMS=="pci"
DRIVERS=="ehci-pci"
ATTRS{irq}=="23"
ATTRS{subsystem_vendor}=="0x144d"
ATTRS{broken_parity_status}=="0"
ATTRS{class}=="0x0c0320"
ATTRS{companion}==""
ATTRS{enabled}=="1"
ATTRS{consistent_dma_mask_bits}=="32"
ATTRS{dma_mask_bits}=="32"
ATTRS{local_cpus}=="0f"
ATTRS{device}=="0x1e26"
ATTRS{uframe_periodic_max}=="100"
ATTRS{msi_bus}==""
ATTRS{local_cpulist}=="0-3"
ATTRS{vendor}=="0x8086"
ATTRS{subsystem_device}=="0xc0d3"
ATTRS{numa_node}=="-1"
ATTRS{d3cold_allowed}=="1"
looking at parent device '/devices/pci0000:00':
KERNELS=="pci0000:00"
SUBSYSTEMS==""
DRIVERS==""
然后在 中创建一个新文件/etc/udev/rules.d,例如99-cardreader.rules:
SUBSYSTEM=="block", ATTRS{idProduct}=="0727", ATTRS{serial}=="000000000207", ACTION=="add", RUN+="/bin/chmod 777 /dev/$name"
在这里,我使用udevadm info命令的输出来查找设备的一些识别信息。我使用了SUBSYSTEM="block"第一个条目的条目,然后ATTRS是第 6 个条目的值。这将基本上找到具有该产品和序列号的 USB 设备,然后找到由该 USB 设备产生的块设备。
该RUN命令会将设备上的权限更改为777。但是,我不认为这是一个很好的解决方案,因为这会向世界开放设备。相反,更好的解决方案可能是:
SUBSYSTEM=="block", ATTRS{idProduct}=="0727", ATTRS{serial}=="000000000207", ACTION=="add", RUN+="/bin/setfacl -m u:patrick:rw- /dev/$name"
这将授予用户patrick对设备的读/写访问权限。
注意:请务必记住,在编写 udev 规则时,您只能使用来自顶部设备和链中其他设备的参数。因此我可以使用SUBSYSTEM="block"参数和ATTRS参数。但是我无法使用链中任何其他设备的任何参数,否则规则将无法匹配。