Tag Archives: udev

udev debugging toolbox

Ever wondered why a certain rule doesn't get run? Ever got confused (or disgusted) by udev rules format?

Well, despite all the udev clutter, there are many useful tools in the udev package, which help to understand udev's behavior and decision making. I'm still far from knowing all the tricks, but here are some things that I've learned recently:

Note: the udev tools got changed several times during the last 5 years. I'll cover here the latest version (149), and the older, RHEL/CENTOS5 version.

1. udevadm info: get all info available to udev about a certain device (or all devices):

# udevadm info -e (RHEL5: udevinfo -e)

Try it.. amazing, eh? You can use each detail to write udev rules to match these devices.

Continue reading

/dev permissions hell

[... This post got too long for no good reason, feel free to jump to the conclusions ...]

The problem
On my CentOS 5 server, the default sound device (/dev/snd/*) permission was root:root 0600.
This means that other users simply cannot play music. Annoying.

The solution ought to be simple...
So, I've ran groupadd sound and added all the relevant users to the new group.

Then, I went to /etc/udev/rules.d/90-alsa.rules, and added this line, to tell that anything that is sound related, should be fully accessible to "sound" group:

SUBSYSTEM=="sound", GROUP="sound", MODE="0660"

Fanatic problem solving mode: ON
But.. not working. Then I've switched into "fanatic problem solving" mode. This means: trying everything without too much thought, modifying every possible file with any possible way.. But no luck. /dev/snd/* files are still root-only-accessible.

Then I've tried to really think.. Running the following command and really inspect its output:

udevtest /devices/audio/subsystem/timer

(udevtest needs the /sys path and not /dev path, quite annoying)

The output shows the list of rules that udev would run for this device. Then I've noticed the last line

main: run: '/sbin/pam_console_apply /dev/snd/timer '

PAM! Of course it's guilty. Then a quick grep revealed the following in /etc/security/console.perms.d/50-default.perms:

<console> 0600 <sound> 0600 root

I commented it out, and ... viola! All works.

In short...

Linux, or at least RedHat 5, has two conflicting mechanisms for setting /dev file permissions:
1. udev: the service responsible for /dev directory content.
2. pam: the service (well, not quite a service but something similar) responsible for system's security.

Udev actually calls the pam service on new device (on rules.d/95-pam-console.rules), so in effect, pam might actually override Udev permission settings. The relevant PAM config files are in /etc/security/console.perms.d).

Great, 1.5hrs got wasted. at least I've learned something.