This site is now 100% read-only, and retired.

How Debian controls hardware access

Posted by Steve on Mon 14 Mar 2005 at 11:00

Tags:

Like a lot of other Linux distributions Debian handles hardware access via the groups upon the system. This is the single most common reason why access to sound, CD-ROMs, and other devices fail.

A common symptom of insufficient permissions will be that the superuser, root, will be able to perform an action, such as listening to music, whilst an ordinary user will not be able to.

On Debian systems there are a number of different groups, each specified in the /etc/group file, for controlling access to particular devices.

  • audio
    • Members of the audio group can access the sound device /dev/dsp. This is required for listening to music, or making audio recordings.
  • dialout
    • The dialout group is used to control access to dialout scripts which connect to ISPs, etc. If you're using ppp, dip or similar services you'll need to be a member of the dialout group. (Or root!)
  • cdrom
    • All members of the cdrom group have read + write access to the CD-ROM devices upon a system, if any.
  • floppy
    • The floppy group has the ability to read and write to any floppy disk which is in the drive, if any.
  • video
    • The video group gains the ability to write to video memory. This is required if you wish to use the nvidia driver, for example.
  • fax
    • The fax group is similar to the dialout group and allows you to interface with any fax device.
  • sudo
    • Members of the sudo group need not type their passwords when running sudo, although it's more obvious to specify this by using the NOPASSWD option inside the configuration file.
  • tape
    • Being a member of the tape device allows you to work with any attached tape device.

Other groups exist as a simple convention, so far example members of the staff group can write to /usr/local by default - so they can add local software. Similarly the members of the group src can directly write to the /usr/src directory.

To add a user to a particular group you would run the following command as root:

adduser username groupname

Eg:

root@mystery:~# adduser skx audio
Adding user `skx' to group `audio'...
Done.

Once this has been done the user must logout and login again for the changes to take effect.

To see which groups you are a member of you can run the "id" command:

skx@mystery:~$ id
uid=1000(skx) gid=1000(skx) groups=20(dialout),24(cdrom),25(floppy),29(audio),44(video),1000(skx)

 

 


Polish translation
Posted by ptecza (83.24.xx.xx) on Sat 9 Apr 2005 at 18:28
Hello Steve!

Polish translation of your article is available now at
http://www.debianusers.pl/article.php?aid=75. Thank you
very much for your writing!

I don't understand only one thing. Why do you write
about sudo group together with the groups controlling
access to hardware devices.

Best regards!

Pawel

[ Parent ]

Re: Polish translation
Posted by Steve (204.52.xx.xx) on Sat 9 Apr 2005 at 21:36
[ View Weblogs ]

It just seemed appropriate to mention as many of the groups as possible - although I agree that it doesn't serve as a hardware control and I guess it stands out a little.

Thanks for your work, and continued support.

Steve
-- Steve.org.uk

[ Parent ]

Re: How Debian controls hardware access
Posted by lepalom (147.83.xx.xx) on Fri 13 Jan 2006 at 19:19
I would like to ask how to manage this groups with ldap, or if it's possible. Because this approach with a few machines is ok, but if you have 40 terminals with floppy, or cdrom with 100 users, and you have configured a ldap server, how to manage it?

Regards

[ Parent ]

Re: How Debian controls hardware access
Posted by Steve (82.41.xx.xx) on Fri 13 Jan 2006 at 19:32
[ View Weblogs ]

LDAP doesn't have any obvious bearing, since that is to control user id, and these are system groups.

Typically you would use some system whereby local users in front of a machine would be granted access to common devices such as video, disk, cd-rom, etc by PAM.

Steve

[ Parent ]

Re: How Debian controls hardware access
Posted by lepalom (62.57.xx.xx) on Fri 13 Jan 2006 at 22:01
do you know if could be problematic if ldap controls "this" groups: cdrom, audio, video, floppy, etc.? because if not, it could be an elegant way to solve this in a network environment.

Leo

[ Parent ]

Re: How Debian controls hardware access
Posted by Anonymous (131.175.xx.xx) on Wed 17 May 2006 at 15:56
You can use the command newgrp(1) to see the effects of adduser, without the need of loggin out and in.

[ Parent ]

Re: How Debian controls hardware access
Posted by Anonymous (85.157.xx.xx) on Fri 23 Oct 2015 at 05:54
I'm trying to find out how to get OpenCPN on my puter, but the command scripts are not known to the system. Not even your own adduser command was known by the system.

[ Parent ]