{"id":110,"date":"2009-02-26T19:43:50","date_gmt":"2009-02-26T16:43:50","guid":{"rendered":"http:\/\/www.held.org.il\/blog\/?p=110"},"modified":"2009-02-26T19:43:50","modified_gmt":"2009-02-26T16:43:50","slug":"dev-permissions-hell","status":"publish","type":"post","link":"http:\/\/www.held.org.il\/blog\/2009\/02\/dev-permissions-hell\/","title":{"rendered":"\/dev permissions hell"},"content":{"rendered":"<p><strong>[... This post got too long for no good reason, feel free to jump to <a href=\"#in_short\">the conclusions<\/a> ...]<\/strong><\/p>\n<p><strong>The problem<\/strong><br \/>\nOn my CentOS 5 server, the default sound device (\/dev\/snd\/*) permission was root:root 0600.<br \/>\nThis means that other users simply cannot play music. Annoying.<\/p>\n<p><strong>The solution ought to be simple...<\/strong><br \/>\nSo, I've ran <em>groupadd sound<\/em> and added all the relevant users to the new group.<\/p>\n<p>Then, I went to \/etc\/udev\/rules.d\/90-alsa.rules, and added this line, to tell that anything that is sound related, should be fully accessible to \"sound\" group:<\/p>\n<blockquote><p>SUBSYSTEM==\"sound\",             GROUP=\"sound\", MODE=\"0660\"<\/p><\/blockquote>\n<p><strong>Fanatic problem solving mode: ON<\/strong><br \/>\nBut.. not working. Then I've switched into \"fanatic problem solving\" mode. This means: trying everything without too much thought, modifying every possible file with any possible way.. But no luck. \/dev\/snd\/* files are still root-only-accessible.<\/p>\n<p><strong>A-HA!<\/strong><br \/>\nThen I've tried to really think.. Running the following command and really inspect its output:<\/p>\n<blockquote><p>udevtest \/devices\/audio\/subsystem\/timer<\/p><\/blockquote>\n<p>(udevtest needs the \/sys path and not \/dev path, quite annoying)<\/p>\n<p>The output shows the list of rules that udev would run for this device. Then I've noticed the last line<\/p>\n<blockquote><p>main: run: '\/sbin\/pam_console_apply \/dev\/snd\/timer '<\/p><\/blockquote>\n<p>PAM! Of course it's guilty. Then a quick grep revealed the following in <em>\/etc\/security\/console.perms.d\/50-default.perms<\/em>:<\/p>\n<blockquote><p>&lt;console&gt;  0600 &lt;sound&gt;      0600 root<\/p><\/blockquote>\n<p>I commented it out, and ... viola! All works.<\/p>\n<hr \/>\n<p><a name=\"in_short\"><br \/>\n<strong>In short...<\/strong><br \/>\n<\/a><br \/>\nLinux, or at least RedHat 5, has two conflicting mechanisms for setting \/dev file permissions:<br \/>\n1. udev: the service responsible for \/dev directory content.<br \/>\n2. pam: the service (well, not quite a service but something similar) responsible for system's security.<\/p>\n<p>Udev actually <strong>calls<\/strong> the pam service on new device (on <em>rules.d\/95-pam-console.rules<\/em>), so in effect, <strong>pam might actually override Udev permission settings<\/strong>. The relevant PAM config files are in <em>\/etc\/security\/console.perms.d<\/em>).<\/p>\n<p>Great, 1.5hrs got wasted. at least I've learned something.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>[&#8230; This post got too long for no good reason, feel free to jump to the conclusions &#8230;] The problem On my CentOS 5 server, the default sound device (\/dev\/snd\/*) permission was root:root 0600. This means that other users simply cannot play music. Annoying. The solution ought to be simple&#8230; So, I&#8217;ve ran groupadd sound [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[75],"tags":[198,84,120],"_links":{"self":[{"href":"http:\/\/www.held.org.il\/blog\/wp-json\/wp\/v2\/posts\/110"}],"collection":[{"href":"http:\/\/www.held.org.il\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.held.org.il\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.held.org.il\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/www.held.org.il\/blog\/wp-json\/wp\/v2\/comments?post=110"}],"version-history":[{"count":0,"href":"http:\/\/www.held.org.il\/blog\/wp-json\/wp\/v2\/posts\/110\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.held.org.il\/blog\/wp-json\/wp\/v2\/media?parent=110"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.held.org.il\/blog\/wp-json\/wp\/v2\/categories?post=110"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.held.org.il\/blog\/wp-json\/wp\/v2\/tags?post=110"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}