Udev rule granting the console user access to the USB device node by default?

73 views
Skip to first unread message

Tollef Fog Heen

unread,
Apr 9, 2011, 4:38:49 PM4/9/11
to yubico...@googlegroups.com

Hi all,

I'm wondering if it would make sense to add a udev rule similar to:

ACTION=="add|change", SUBSYSTEM=="usb", \
ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010", \
TEST=="/var/run/ConsoleKit/database", \
RUN+="udev-acl --action=$env{ACTION} --device=$env{DEVNAME}"

to yubico-c-client (or perhaps libyubikey). This makes it so a yubikey
plugged in will be usable by the console user for challenge/response
without further ado. Currently, you need to either run ykchalresp as
root or chown/chmod/setfacl the USB device node.

regards,
--
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are

Fredrik Thulin

unread,
Apr 10, 2011, 2:26:34 AM4/10/11
to yubico...@googlegroups.com, Tollef Fog Heen
On Sat, Apr 9, 2011 at 10:38 PM, Tollef Fog Heen <tfh...@err.no> wrote:
>
> Hi all,
>
> I'm wondering if it would make sense to add a udev rule similar to:
>
> ACTION=="add|change", SUBSYSTEM=="usb", \
>  ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010", \
>  TEST=="/var/run/ConsoleKit/database", \
>  RUN+="udev-acl --action=$env{ACTION} --device=$env{DEVNAME}"
>
> to yubico-c-client (or perhaps libyubikey).  This makes it so a yubikey
> plugged in will be usable by the console user for challenge/response
> without further ado. Currently, you need to either run ykchalresp as
> root or chown/chmod/setfacl the USB device node.

I'd vote for that, but I think yubikey-personalization is the correct
package to add it to (since that package currently is the one with the
USB communication stuff in it).

yubico-c-client could be installed on a server, validating OTPs
submitted to a web app.

/Fredrik

Reply all
Reply to author
Forward
0 new messages