r8297 - in trunk/BOOK: general/genlib introduction/welcome postlfs/config

bdubbs at linuxfromscratch.org bdubbs at linuxfromscratch.org
Sat Mar 6 14:33:48 PST 2010

Author: bdubbs
Date: 2010-03-06 15:33:48 -0700 (Sat, 06 Mar 2010)
New Revision: 8297

Added additional information about <para>[bdubbs] - Added additional information about

Modified: trunk/BOOK/general/genlib/libusb.xml
--- trunk/BOOK/general/genlib/libusb.xml	2010-03-06 19:28:21 UTC (rev 8296)
+++ trunk/BOOK/general/genlib/libusb.xml	2010-03-06 22:33:48 UTC (rev 8297)
@@ -126,14 +126,9 @@
     <primary sortas="d-USB-device-filesystem">Support for Host-side USB</primary>
-    <para>To have raw USB devices set up properly, add the following
-    <application>udev</application> rule.</para>
+    <para>For more details on setting up USB devices, see <xref
+    linkend="usb-device-issues"/>.  </para>
-<screen><literal>cat > /etc/udev/rules.d/23-usb.rules << "EOF"
-# Set group ownership for raw USB devices
-SUBSYSTEM=="usb", ENV{DEVTYPE}=="usb_device", GROUP="usb"
     <para>Fine-tuning of permissions is also possible by creating extra rules,
     matching on something like this (on one line).  The vendor and product can
@@ -152,12 +147,12 @@
 <screen><literal>usbfs  /proc/bus/usb  usbfs  devgid=14,devmode=0660  0  0</literal></screen>
     <para>Add any users that need to access raw USB devices to the
     <systemitem class="groupname">usb</systemitem> group.</para>
 <screen role="root"><userinput>usermod -a -G usb <replaceable><username></replaceable></userinput></screen>
   <sect2 role="content">

Modified: trunk/BOOK/introduction/welcome/changelog.xml
--- trunk/BOOK/introduction/welcome/changelog.xml	2010-03-06 19:28:21 UTC (rev 8296)
+++ trunk/BOOK/introduction/welcome/changelog.xml	2010-03-06 22:33:48 UTC (rev 8297)
@@ -45,6 +45,10 @@
       <para>March 7th, 2010</para>
+          <para>[bdubbs] - Added additional information about
+          configuring USB devices.</para>
+        </listitem>
+        <listitem>
           <para>[randy] - Updated to Freeglut-2.6.0.</para>

Modified: trunk/BOOK/postlfs/config/devices.xml
--- trunk/BOOK/postlfs/config/devices.xml	2010-03-06 19:28:21 UTC (rev 8296)
+++ trunk/BOOK/postlfs/config/devices.xml	2010-03-06 22:33:48 UTC (rev 8297)
@@ -50,6 +50,65 @@
+  <sect2 id="usb-device-issues">
+    <title>USB Device Issues</title>
+    <para>USB devices usually have two kinds of device nodes associated with
+    them.</para>
+    <para>The first kind is created by device-specific drivers (e.g.,
+    usb_storage/sd_mod or usblp) in the kernel. For example, a USB mass storage
+    device would be /dev/sdb, and a USB printer would be /dev/usb/lp0. These
+    device nodes exist only when the device-specific driver is loaded.</para>
+    <para>The second kind of device nodes (/dev/bus/usb/BBB/DDD, where BBB is
+    the bus number and DDD is the device number) is created even if the device
+    doesn't have a kernel driver. By using these "raw" USB device nodes, an
+    application can exchange arbitrary USB packets with the device, i.e.,
+    bypass the possibly-existing kernel driver.</para>
+    <para>Access to raw USB device nodes is needed when a userspace program is
+    acting as a device driver. However, for the program to open the device
+    successfully, the permissions have to be set correctly. By default, due to
+    security concerns, all raw USB devices are owned by user root and group
+    usb, and have 0664 permissions (the read access is needed, e.g., for lsusb
+    to work and for programs to access USB hubs). Packages (such as SANE and
+    libgphoto2) containing userspace USB device drivers also ship udev rules
+    that change the permissions of the controlled raw USB devices. That is, rules
+    installed by SANE change permissions for known scanners, but not printers.  
+    If a package maintainer forgot to write a rule for your device,
+    report a bug to both BLFS (if the package is there) and upstream, and 
+    ypu will need ot write your own rule.</para>
+    <para>There is one situation when such fine-grained access control with
+    pre-generated udev rules doesn't work. Namely, PC emulators such as KVM,
+    QEMU and VirtualBox use raw USB device nodes to present arbitrary USB
+    devices to the guest operating system (note: patches are needed in order to
+    get this to work without the obsolete /proc/bus/usb mount point described
+    below). Obviously, maintainers of these packages cannot know which USB
+    devices are going to be connected to the guest operating system. You can
+    either write separate udev rules for all needed USB devices yourself, or
+    use the default catch-all "usb" group, members of which can send 
+    arbitrary commands to all USB devices. </para>
+    <para>Before Linux-2.6.15, raw USB device access was performed not with
+    /dev/bus/usb/BBB/DDD device nodes, but with /proc/bus/usb/BBB/DDD
+    pseudofiles. Some applications (e.g., VMware Workstation) still use only
+    this deprecated technique and can't use the new device nodes. For them to
+    work, use the "usb" group, but remember that members will have unrestricted
+    access to all USB devices.  To create the fstab entry for the obsolete
+    usbfs filesystem:</para>
+<screen><literal>usbfs  /proc/bus/usb  usbfs  devgid=14,devmode=0660  0  0</literal></screen>
+    <note><para>Adding users to the "usb" group is inherently insecure, as they
+    can bypass access restrictions imposed through the driver-specific USB
+    device nodes. For instance, they can read sensitive data from USB hard drives
+    without being in the "disk" group. Avoid adding users to this group, if 
+    you can.</para></note>
+  </sect2>
     <title>Udev Device Attributes</title>
@@ -71,17 +130,6 @@
-  <sect2>
-    <title>USB Device Issues</title>
-    <para>Some older applications, such as <application>VMware</application>,
-    need the following deprecated entry in the <filename>/etc/fstab</filename>
-    file. This is not normally needed.</para>
-<screen><literal>usbfs  /proc/bus/usb  usbfs  devgid=14,devmode=0660  0  0</literal></screen>
-  </sect2>
     <title>Multiple Network Interfaces</title>

More information about the blfs-book mailing list