How do I remove the need to use sudo?

[mkaivs]

I don't want to give my user application sudo privilege so I need to read and write to the device file without the need to use sudo. I have tried the following:

• create a group called apci
• add the user to the apci group
• change ownership from root:root to root:apci for both /dev/apci and /dev/apci/pcie_idio_24_0
• change file permission of /dev/apci/pcie_idio_24_0 from 600 to 660

sudo groupadd apci
sudo usermod -aG apci $USER
sudo chown -R root:apci /dev/apci
sudo chmod 660 /dev/apci/pcie_idio_24_0

Output of ls -la /dev/apci

total 0
drwxr-xr-x  2 root apci     60 Jan 11 10:02 .
drwxr-xr-x 22 root root       4640 Jan 11 10:03 ..
crw-rw----  1 root apci 235, 0 Jan 11 10:02 pcie_idio_24_0

• /dev/apci now has the same permission but belongs to a new group (apci instead of root)

• pcie_idio_24_0 now has new permission (660 instead of 600) and belongs to a new group (apci instead of root)

  Using getent group | grep apci I also verify that the user I login as is part of apci group.

But I still need sudo in order to open /dev/apci/pcie_idio_24_0. How do I remove the need to use sudo?

[mkaivs]

I tried sudo chmod 666 /dev/apci/pcie_idio_24_0 and I can access the file without the need to use sudo now. However, after I reboot the machine, the file permission is reset to 600. Is there a way to modify the driver so that by default the character device doesn't require sudo to use?

[jdolanIV]

@mkaivs

You need to logout and log back in for changes to group membership to take effect.

There are a few ways to do what you want. It's possible to modify the driver to create the device with other permissions, but this is considered extremely bad practice. I think what you are going to want is to use udev to set things up the way you want.

https://unix.stackexchange.com/questions/141255/give-a-specific-user-permissions-to-a-device-without-giving-access-to-other-user

[mkaivs]

@jdolanIV

Thanks for the advice. I'm aware that setting the permission to 666 is bad practice, it's just to get something working first before I get to a better solution. I appreciate that the driver is designed with good practice in mind. I originally want to do what you suggest with the link which is to create a group, add my user to that group and give the group permission to access the file. After logout and login again, I don't need sudo anymore.

However, after reboot, I will have to change the ownership & permission of the character file again. I think it makes sense that the character device is created with root:group instead of root:root and 660 instead of 600 access permission. If the character device is created with root:group and permission is set to 660, to grant an user permission to access to the device without sudo, I just need to add the user to that group and that will persist after reboot.

For example:

crw-rw----   1 root dialout   4,  64 Jan 11 12:38 ttyS0
crw-rw----   1 root dialout   4,  65 Jan 11 12:38 ttyS1
crw-rw----   1 root dialout   4,  74 Jan 11 12:38 ttyS10
crw-rw----   1 root dialout   4,  75 Jan 11 12:38 ttyS11

I used to use a driver, and that driver creates a character device with root:dialout and permission is 660, so I only need to add my user to the dialout group once to remove the need to use sudo. I think doing that is still secure because adding user to a group still need sudo, I just don't have to do the same thing every single time I reboot the machine, just one time setup.

Would you consider showing me how to update the driver to create the device character file with root:groupname ownership and 660 permission?

[jdolanIV]

You can use udev to change the group as well as the owner.

https://www.thegeekdiary.com/how-to-configure-device-file-owner-group-with-udev-rules/

Somewhere in one of our modules I thought we had an "#ifdef" that allowed for what you are looking for, but I'm having trouble finding it right now. I'll do a better job of looking this evening when I'm on the clock. Or maybe @JHentges will chime in because he's the one that originally found it.

[JHentges]

Hello, John here.

There's a line in apci_common.h you can set to change the default permissions:

define APCI_DEFAULT_DEVFILE_MODE 0000 // /dev/{cardname} will get these

permissions on creation

It gets used in the apci_dev.c file in the apci_devnode() function.

I don't know how to change the driver so it is root:group, but maybe Jay does.

John Hentges | Director of Software Engineering and Digital Design | ACCES I/O Products, Inc. http://accesio.com/contact-us @. @.> | (858) 467-5582  | JohnHentges-ACCESIO#7568 on Discord

On 1/11/2023 1:12 PM, jdolanIV wrote:

You can use udev to change the group as well as the owner.

https://www.thegeekdiary.com/how-to-configure-device-file-owner-group-with-udev-rules/

Somewhere in one of our modules I thought we had an "#ifdef" that allowed for what you are looking for, but I'm having trouble finding it right now. I'll do a better job of looking this evening when I'm on the clock. Or maybe @JHentges https://github.com/JHentges will chime in because he's the one that originally found it.

— Reply to this email directly, view it on GitHub https://github.com/accesio/APCI/issues/6#issuecomment-1379490070, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADKDEWY3G5CIPLSBVMO464LWR4O4XANCNFSM6AAAAAATYMBKKY. You are receiving this because you were mentioned.Message ID: @.***>

[mkaivs]

@jdolanIV @JHentges

Thank you for your advice, I can use udev for the setting that I want.