Bug#996749: Missing rules for webcams with /dev/media* controls

Michael Biebl biebl at debian.org
Mon Oct 18 09:01:50 BST 2021 

Am 18.10.21 um 09:34 schrieb Joseph Carter:
> I'm actually not in group video. I have simply been granted access to the /dev/video* devices by virtue of having logged in at the console. That explains why Debian doesn't have this—Debian is not trying to use ACLs for device access. I hadn't needed it for the video devices because of this in 70-uaccess.rules:
> 
> # Webcams, frame grabber, TV cards
> SUBSYSTEM=="video4linux", TAG+="uaccess"
> SUBSYSTEM=="dvb", TAG+="uaccess"
> 
> I've corrected that (and added myself to several other groups I can see I probably want to be in based on my "other" user on the system as well.
> 
> I think the TAG+="uaccess" for SUBSYSTEM=="media" is a good idea, since I think the uaccess tag for console users is probably intended by RedHat's holy Gnoman Empire, if one is not using udev/systemd, ACLs won't get assigned and the group is necessary. I'll leave the question of closing this or considering implementing it to you and the systemd team.


As said, this is not something that should imho be addressed via 
downstream patch. So if you have an interest in this, please consider 
filing this upstream.

> 
> Joseph
> 
> On Mon, Oct 18, 2021, at 00:12, Michael Biebl wrote:
>> Control: tags -1 + upstream
>>
>> Hello
>>
>> Am 18.10.21 um 08:20 schrieb Joseph Carter:
>>> Package: udev
>>> Version: 249.5-1
>>> Severity: normal
>>>
>>> Many webcams new use more than the standard /dev/videoN device to
>>> control them through e.g. uvcdynctrl. For example, here is my Logitech
>>> C930e, which is a pretty common example on Debian:
>>>
>>> ```
>>> tjcarter at aki:~$ uvcdynctrl -l
>>> Listing available devices:
>>>     video0   Logitech Webcam C930e
>>>       Media controller device: /dev/media0
>>> ERROR: Unable to open media controller device '/dev/media0': Permission denied (Error: 13)
>>> ERROR: Unable to list device entities: Invalid device or device cannot be opened. (Code: 5)
>>>     video1   Logitech Webcam C930e
>>>       Media controller device /dev/media1 doesn't exist
>>> ERROR: Unable to list device entities: Invalid device or device cannot be opened. (Code: 5)
>>> ```
>>>
>>> Okay, I have no idea why there are two /dev/video entries there since
>>> only the first one actually is a video device. Either way, you can see
>>> that there's an error accessing /dev/media0, which is definitely
>>> provided by the camera:
>>>
>>> ```
>>> tjcarter at aki:~$ ls -l /dev/media*
>>> crw-rw----+ 1 root video 239, 0 Oct 17 11:01 /dev/media0
>>> tjcarter at aki:~$ cat /sys/dev/char/239\:0/model
>>> Logitech Webcam C930e
>>> ```
>>>
>>> I should have access to this as a console user, but I don't. Searching
>>> online, I found this file, named 65-media-uaccess.rules which is
>>> supposedly part of systemd … but not on my system it isn't!
>>
>> Where exactly did you find this information? My online searches turn up
>> nothing
>> Do you have a reference?
>> Looking at the systemd/udev git repo, it never shipped a file named
>> 65-media-uaccess.rules afaics
>>
>>> ```
>>> #  SPDX-License-Identifier: LGPL-2.1+
>>> #
>>> #  This file is part of systemd.
>>> #
>>> #  systemd is free software; you can redistribute it and/or modify it
>>> #  under the terms of the GNU Lesser General Public License as published by
>>> #  the Free Software Foundation; either version 2.1 of the License, or
>>> #  (at your option) any later version.
>>>
>>> ACTION=="remove", GOTO="media_uaccess_end"
>>> ENV{MAJOR}=="", GOTO="media_uaccess_end"
>>>
>>> # Newer Webcams, frame grabber, TV cards
>>> SUBSYSTEM=="media", TAG+="uaccess"
>>>
>>> LABEL="media_uaccess_end"
>>> ```
>>>
>>> Sure enough, adding it to the system fixes the permission error:
>>>
>>> ```
>>> tjcarter at aki:~$ uvcdynctrl -l
>>> Listing available devices:
>>>     video0   Logitech Webcam C930e
>>>       Media controller device: /dev/media0
>>>       Entity 1: Logitech Webcam C930e. Type: 65537, Revision: 0, Flags: 1, Group-id: 0, Pads: 1, Links: 0
>>>         Device node
>>>         Entity: 1, Pad 0, Flags: 1
>>>     video1   Logitech Webcam C930e
>>>       Media controller device /dev/media1 doesn't exist
>>> ERROR: Unable to list device entities: Invalid device or device cannot be opened. (Code: 5)
>>> tjcarter at aki:~$ uvcdynctrl -c
>>> Listing available controls for device video0:
>>>     Brightness
>>>     Contrast
>>>     Saturation
>>>     White Balance Temperature, Auto
>>>     Gain
>>>     Power Line Frequency
>>>     White Balance Temperature
>>>     Sharpness
>>>     Backlight Compensation
>>>     Exposure, Auto
>>>     Exposure (Absolute)
>>>     Exposure, Auto Priority
>>>     Pan (Absolute)
>>>     Tilt (Absolute)
>>>     Focus (absolute)
>>>     Focus, Auto
>>>     Zoom, Absolute
>>>     LED1 Mode
>>>     LED1 Frequency
>>> tjcarter at aki:~$ uvcdynctrl -g "Zoom, Absolute"
>>> 100
>>> tjcarter at aki:~$ uvcdynctrl -s "Zoom, Absolute" 150
>>> tjcarter at aki:~$ uvcdynctrl -g "Zoom, Absolute"
>>> 150
>>> ```
>>>
>>> (This by the way zooms the camera in to have a tighter focus on me and
>>> less my kitchen behind me.)
>>>
>>> On some cameras (my IPEVO document camera for example) access to the
>>> associated /dev/mediaN device is required to put the camera into a mode
>>> offering (compressed) high-resolution AND high-framerate mode. The
>>> aforementioned IPEVO can do 4k at 30fps, but Cheese and OBS are unable
>>> to set that mode without access to the media controller.
>>>
>>> Is there a reason the tag for the media subsystem is not found on Debian
>>> systems? It seems currently or previously it was intended by systemd's
>>> devs that console users have access to it. Can or should it be made that
>>> way by default on Debian systems?
>>>
>>
>> Looking at /lib/udev/rules.d/50-udev-default.rules, I see a static group
>> permission for those types of devices:
>>
>> SUBSYSTEM=="media", GROUP="video"
>>
>> So I assume if you are in group video, you should have access to those
>> devices.
>>
>> In don't find anything in /lib/udev/rules.d/70-uaccess.rules related to
>> those types of devices. I'm not sure, if this intentional or not.
>>
>> Can you please raise this upstream at
>> https://github.com/systemd/systemd/issues/new
>>
>> I'm not really familiar with those types of devices to assess whether
>> it's safe to ship such a rule which set the uaccess tag or not.
>>
>> And if so, it should definitely be addressed upstream not via a
>> downstream patch/change.
>>
>> Regards,
>> Michael
>>
>>
>> Attachments:
>> * OpenPGP_signature


-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20211018/425491f2/attachment.sig>

More information about the Pkg-systemd-maintainers mailing list