I'm having trouble writing a rule that would allow all (or some subset of users) to access a yubikey (a usb security device). The device appears as /dev/hidraw2, and the normal user is on an ACL (access control list) that grants permission to use it. However, if a second user is also logged in, they're not on the device's ACL. The system is running openrc and not systemd, so elogind is control the ACLs. (elogind is a daemon for openrc that emulated some of the systemd functionality that openrc doesn't have out of the box).
When I manually add a secondary user to the ACL for this device with setfacl, this works. But, it's not persistent, and when the device is removed and re-inserted, setfacl has to be called again.
As far as I can tell, elogind uses polkit to determine which user gets put on an ACL. But, I've not been able to write a polkit rule that would allow all users (or some limited subset of all users) to use the device. Here's an example of a rule that I tried:
.addRule(function(action, subject) {
if ( subject.isInGroup("plugdev")) {
return polkit.Result.YES;
}
}
});
Asked by jyoung
(131 rep)
Oct 22, 2024, 07:18 PM