Package: squeak-plugins-scratch
Version: 1.4.0.2~svn.r83-2.1
Tags: patch
Severity: important
When installing Debian, the initial user was traditionally made a member
of the plugdev group, and this granted access to local hardware dongles
when this user is logged in. This approach causes problems for users
originating from directory services like LDAP and Active Directory, as
such plugdev membership can not be granted globally. The plugdev
membership can be assigned during login (using pam_group), but still
this approach is problematic because left behind processes keep the
group membership even when the user is no longer logged in on the
machine, allowing background processes to get access to other peoples
hardware.
There is an alternative to group membership for device access, using
file system ACLs, and with systemd this is the recommended default
according to the systemd maintainers. To enable it for a given device,
the 'access' tag can be set.
Please do so for the squeak-plugins-scratch udev rule, to allow the
device to work for any console user, not only the one created during
installation. The key part is the TAG+="uaccess" part.
I also suggest to add the ID_LEGO_MINDSTORMS attribute we in the Debian
LEGO tema are trying to get set for all lego related udev rules in
Debian.
Here is a patch:
--- debian/95-wedo.rules.orig 2016-10-11 06:29:18.679368276 +0000
+++ debian/95-wedo.rules 2016-10-11 06:32:17.009619728 +0000
@@ -1,2 +1,3 @@
-ATTRS{idVendor}=="0694", ATTRS{idProduct}=="0003", SUBSYSTEMS=="usb",
ACTION=="add", MODE="0666", GROUP="plugdev"
-
+ATTRS{idVendor}=="0694", ATTRS{idProduct}=="0003", SUBSYSTEMS=="usb",
ACTION=="add", \
+ MODE="0666", GROUP="plugdev", \
+ ENV{ID_LEGO_MINDSTORMS}=="1", TAG+="uaccess"
I suspect the plugdev/mode part can be removed, but did not suggest to
do so at this time because I am unsure how it affect non-systemd users.
--
Happy hacking
Petter Reinholdtsen
