# Problems accessing USB devices with non-root user inside Jail



## moellinger (Jan 12, 2015)

Hi,

I need to access an USB device with a non-root user within a jail. I had similar issues with FreeNAS and now installed a fresh FreeBSD 9.3.

When running `usbconfig` as root in the jail, I see all the USB devices connected.

The device required for my setup is:

```
ugen1.3: <KNX-USB Data Interface Gira Giersiepen GmbH  Co. KG> at usbus1, cfg=0 md=HOST spd=FULL (12Mbps) pwr=ON (50mA)
```

This is a USB device connecting to a home automation system.

My permissions are as follows:

```
root@knx:/dev # ll ugen1.3
lrwxr-xr-x  1 root  wheel  9 Dec  8 10:19 ugen1.3@ -> usb/1.3.0
```

I've modified the devfs.rules:

```
root@knx:/dev # cat /etc/devfs.rules

[system=10]
add path 'usbctl' mode 660 group operator
add path 'usb/*' mode 660 group operator
add path 'ugen*' mode 0660 group operator
```

and rc.conf:

```
root@knx:/dev # cat /etc/rc.conf
devfs_system_ruleset="system"
```

If I'm now running `usbconfig` with user eib. I'm getting the following output:

```
root@knx:/dev # sudo -u eib usbconfig

No device match or lack of permissions.
```

I'm able to access the USB device as root without any issues but not with any other user. User eib has been added to the operator group.

Is there anything wrong with my devfs config?

Thanks.
Moellinger


----------



## sidetone (Mar 14, 2015)

Set /etc/sysctl.conf in your base system to

```
vfs.usermount=1
```
 for non-root users to mount hardware. FAQ For FreeBSD - Chapter 8. Disks, File Systems, and Boot Loaders.

I'm guessing your device is showing inside the jail's /dev directory. If not: there should be another section in the base system devfs.rules that is used for your jails, similar to what you have for [system=10]. From inside the jail you may also want to check /etc/devfs.conf


----------



## LeoSum (Dec 15, 2015)

sidetone said:


> From inside the jail you may also want to check /etc/devfs.conf



What line should be in this file?

I am having a similar option where I can only access /dev/cuaU0 as a root user from within a jail, but not as non-root. Can you maybe share an example?


----------



## SirDice (Dec 15, 2015)

Jails have limited access to devices. See /etc/defaults/devfs.rules:

```
[devfsrules_jail=4]
add include $devfsrules_hide_all
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login
add path zfs unhide
```

If you need to access a certain device from within a jail you'll need to unhide it. Similarly, you need to set the correct permissions to access /dev/cuau0 as a non-root user in the jail rules.


----------



## sidetone (Dec 15, 2015)

/etc/devfs.conf

```
own    /dev/cuaU0   root:operator
perm   /dev/cuaU0   0666
```
Permission 0660 usually works for me too.


----------



## LeoSum (Dec 15, 2015)

Thanks for the looking into my problem guys!
Unfortunately I still can't figure it out though.

This is where I am at now:

*On the host machine:*
vfs.usermount is 1:

```
[root@server] ~# sysctl vfs.usermount
vfs.usermount: 1
```

The last section in /etc/defaults/devfs.rules looks like this:

```
[devfsrules_jail=4]
add include $devfsrules_hide_all
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login
add path zfs unhide
add path 'cuaU0' unhide
```

I am guessing that the unhiding worked, since I can access the device from inside the jail as root, right?
*
Inside the jail:*
the /etc/devfs.conf looks like this:

```
own  /dev/cuaU0  root:operator
perm  /dev/cuaU0  0666
```

I made sure that the user fhem is member of the operator group:

```
pw usermod fhem -G wheel,operator,fhem
```

I also tried without the /dev/:

```
own  cuaU0  root:operator
perm  cuaU0  0666
```

and also to make fhem the owner:

```
own  cuaU0  fhem:fhem
perm  cuaU0  0666
```

but these all don't work. What am I missing? Of course I restarted the jail every time.

I read something about changing this entry in /etc/rc.conf inside the jail:

```
devfs_system_ruleset="devfsrules_common"
```

But I wouldn't know what to change it to.


----------



## sidetone (Dec 15, 2015)

What do you see under /dev/, about cuau0, in your jail?


----------



## LeoSum (Dec 15, 2015)

```
root@fhem:/usr/home/fhem # ls -l /dev/cuaU*
crw-rw----  1 uucp  dialer  0x9b Dec 15 19:12 /dev/cuaU0
crw-rw----  1 uucp  dialer  0x9c Dec 14 22:26 /dev/cuaU0.init
crw-rw----  1 uucp  dialer  0x9d Dec 14 22:26 /dev/cuaU0.lock
```


----------



## SirDice (Dec 16, 2015)

Never edit the files in /etc/defaults/. They'll be overwritten with the next update of the system. Copy the bit you want to change to /etc/devfs.rules and make your changes there.


----------



## LeoSum (Dec 16, 2015)

Thanks for the hint! Didn't know that and will change that tonight.

But that can't be the reason for it not working right now, as the root user has access from within the jail, right?


----------



## LeoSum (Dec 17, 2015)

Nobody has an idea what might be wrong with my config?

I guess I'll run the perl script as root then.

Thanks for looking into this though!


----------



## SirDice (Dec 18, 2015)

You can't change the permissions of devices from within a jail. You'll have to set the permissions on the host.


----------



## z3tbl4 (Jan 8, 2016)

How about adding disthis rule to your /etc/devfs.rules:


```
add path 'usbctl' unhide
```
and do
`# sh /etc/rc.d/devfs restart`_ (and restart jail)?_


----------



## lme@ (Feb 15, 2016)

LeoSum said:


> ```
> root@fhem:/usr/home/fhem # ls -l /dev/cuaU*
> crw-rw----  1 uucp  dialer  0x9b Dec 15 19:12 /dev/cuaU0
> crw-rw----  1 uucp  dialer  0x9c Dec 14 22:26 /dev/cuaU0.init
> ...


Just put the "fhem" user into the "dialer" group. 

Btw, I am preparing a port for fhem (http://fhem.org). It will not solve your specific device rights problem, but ease installation of fhem and it dependencies.


----------

