Use uaccess

[yarda]

The current solution is quite dirty, breaking Linux security model. I think for interactive sessions you should use uaccess and classify all existing printers (they are mostly identified as FTDI converters). I am using the following (which works for my RepRap i3, but there are probably some more IDs around):

70-reprap.rules:

RepRap

SUBSYSTEMS=="usb", ATTRS{idVendor}=="0403", ATTRS{idProduct}=="6001", TAG+="uaccess"

For headless daemons like Octoprint it's minimum overhead for the admin to just add the service user to the 'dialout' group upon installation.

Just blindly allowing all users full access to all serial devices connected through USB isn't really good idea.

[hroncok]

The problem with this approach is the amount of 3D printers, boards, manufacturers. If we could get all the Vendor IDs and Product IDs, then why not, but I don't know how.

From my point of view when you add the user to the dialout group, you give him access to everything anyway. And running this form multiuser environment might be risky, but README clearly says that.

[yarda]

I would start with FTDI converter, check it with all printers I have access to and let the community to PR/report other IDs. We did it with software defined radio and it worked quite well.

When you add user to the dialout group, you gave rights only to this user. If e.g. somebody compromise some other service running on your machine (of course under different user as it should), he will not have access and will not be able to e.g. start a fire.

[hroncok]

Let's try to work on this for "next release". As soon as I get to the lab, I'll check all of our printers.

[hroncok]

I see 0403:6001 in the Brno Red Hat office.

[hroncok]

• 23c1:0006 MakerBot Replicator Z18
• 23c1:b017 MakerBot Replicator 2X
• 0403:6001 Velleman K8200 (RepRap) (FT232 USB-Serial (UART) IC by Future Technology Devices International, Ltd)
• 2341:0042 Ultimaker Original + (Arduino Mega)

[hroncok]

Now as you can see we might get the list of the VIDs and PIDs, but if someone creates a killer robot that reports back as Arduino Mega or uses FT232 USB-Serial, we are giving access to that as well.

[yarda]

It's general problem that Arduino boards usually reports default IDs, but with uaccess it doesn't do much harm. User with physical access to the machine is usually able to do anything with the machine/peripherals, so giving him/her access to the arduino boards/FTDI converters through uaccess is usually OK.

For now I would add four lines in similar format to the line I post initially and would add comment to the readme telling people to send their IDs.

[hroncok]

So this has two parts:

• using IDs isntead of ttyUSB/ACM*
• using uaccess instead of 0666, as it only add access to "regular" users (is that right?)

Cannot we just do the second thing?

[yarda]

Generally yes, and to be honest I think such rule should be in the distro's default udev rules, but collection of 3d printers IDs makes sense. This would allow us to classify peripherals as 3D printers (or potential candidate as 3D printers) by later adding e.g.: ENV{ID_3DPRINTER}="1" to the udev rule. Currently there is no such category, but I could propose it to udev upstream. Currently there are categories like:
ID_CDROM, ID_FFADO, ID_INPUT_JOYSTICK, ID_MEDIA_PLAYER, ID_SMARTCARD_READER, ID_PDA, ID_REMOTE_CONTROL, ID_SOFTWARE_RADIO, ....

It's beneficial if the system knows what category of devices are connected, so more complex access policies can be set by admin (the default policy is to allow access to the device of known category, but it can be freely changed by admin).

[hroncok]

• 27b1:0001 Lulzbot Mini

[hroncok]

• 27b1:0001 Lulzbot TAZ 4 & RAMBO
• 2341:0042 Arduino Mega with RAMPS
• 0403:6001 Minitronic & Megatronic & Sanguinololu

[yarda]

This is an attempt to get the tag for 3D printers upstream:
systemd/systemd#2844

[yarda]

I think we can now add the collected IDs by using the following template:
SUBSYSTEMS=="usb", ATTRS{idVendor}=="0403", ATTRS{idProduct}=="6001", ENV{ID_MAKER_TOOL}="1"

And one final rule:
ENV{ID_MAKER_TOOL}=="?*", TAG+="uaccess"

Once it gets to the upstream udev, we will simply drop this final rule (duplicity is no problem here).

I can PR or commit it.