Ask Your Question
0

Access webcam without sudo

asked 2017-10-18 08:37:58 -0600

ovg gravatar image

The code below will only work if I run it with sudo:

cap = cv2.VideoCapture(0)
cap.set(cv2.CAP_PROP_FRAME_WIDTH, 320)
cap.set(cv2.CAP_PROP_FRAME_HEIGHT, 240)

while True:
    ret, img = cap.read()
    print(ret)  # False without sudo
    print(img)  # None without sudo

    cv2.imshow('img', img)
        k = cv2.waitKey(30) & 0xff
        if k == 27:
            break

I don't want to run it as sudo for various reasons. Adding my user to the video group on linux doesn't change anything. Do I need to add myself to another group?

Note: I know it's bad to add myself to the video group... I'll create another user when this works!

edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted
1

answered 2017-10-18 13:17:31 -0600

updated 2017-10-18 13:21:25 -0600

Check the permissions of device /dev/video0. For example:

me@myhost:~$ ls -l /dev/video0
crw-rw---- 1 root video 81, 1 Dec 31  1969 /dev/video0

This means I can open this device as user root (sudo) or as a user which is a member of group video.

You can change the user or group ownership, or the user/group/other permissions on the /dev/video0 file at the time it is created, by modifying or creating a udev rules file.

edit flag offensive delete link more

Comments

Should it work if I add myself to video? because it doesn't change any thing for me...

ovg gravatar imageovg ( 2017-10-18 13:44:32 -0600 )edit
1

It should work, if the device file (/dev/video0) permissions have the read (second r in the ls -l output) permission for group and its group ownership is group video.

Also (and this is an old UNIX gotcha which propagated to Linux but is not widely appreciated), group membership changes for a user - set with, for example, the command line adduser me video - propagate only after a subsequent login of that user... so, after adding yourself to the group, you typically have to log out or your user session and log in again for the group membership to be valid.

opalmirror gravatar imageopalmirror ( 2017-10-18 14:17:41 -0600 )edit

Good to know, unfortunately I restarted with no change...

crw-rw----+ 1 root video 81, 0 Oct 18 23:09 /dev/video0 and I am in the video group...

Does opencv do anything else as sudo with the camera?

ovg gravatar imageovg ( 2017-10-18 17:30:46 -0600 )edit

I just tested with crwxrwxrwx+ 1 root video 81, 0 Oct 18 23:09 /dev/video0 too and can confirm that it still doesn't work unless I use sudo

ovg gravatar imageovg ( 2017-10-18 18:01:57 -0600 )edit
1

OK, then it's probably something else forbidding device access. Pardon my asking more questions. I think we can eventually get to the bottom of this!

  • What Linux distribution have you installed?

  • Are you running Linux in a VM guest? If so, the host may be somehow forbidding device access.

  • Are you running SELinux? Run the command "sudo selinuxrunning; echo $?" - if the output is "0" you are running SELinux.

  • Could you be using containers or namespaces in some way which would disallow device access?

opalmirror gravatar imageopalmirror ( 2017-10-18 18:14:43 -0600 )edit
1

Thanks for your help!

Fedora 25, no VM

$ sudo selinuxrunning; echo $?
sudo: selinuxrunning: command not found
1

but...

$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      30

containers or namespaces? not that I am aware of...

ovg gravatar imageovg ( 2017-10-18 18:24:21 -0600 )edit
1

OK! I am familiar with Ubuntu, Debian and Fedora. I'm not an expert at SELinux but I've had partial success with opening permissions on it before. I'm looking at this webpage now, it's a good basic overview. Can you run this:

$ ls -Z /dev/video0

My guess is that the /dev/video0 device is locked down to a certain class of user, role, type, or mls, and that as a regular user you don't have the needed SELinux permissions to access the device. You may be able to (as root) assign additional classes of user, role, type or mls to your userid, or to the device file.

I will have physical access to a current Fedora system in several hours and if we don't figure it out by then I may have more ideas.

opalmirror gravatar imageopalmirror ( 2017-10-19 12:43:26 -0600 )edit
1

To prove selinux is the culprit you can temporarily disable selinux (set it to permissive or targeted), reboot, try to access the device. If the device access is granted then you know selinux is the cause of the access denial. Then re-enable selinux (to enforcing mode or however you currently have it set) and reboot again. From that point we can adjust the selinux permissions on the device file or on the user that needs access. Howto to reference is here.

opalmirror gravatar imageopalmirror ( 2017-10-19 12:56:29 -0600 )edit

Setting it to permissive didn't change anything...

$> ls -Z /dev/video0
system_u:object_r:v4l_device_t:s0 /dev/video0
ovg gravatar imageovg ( 2017-10-19 18:10:14 -0600 )edit
1

Hm. I don't know if you've double checked that the output of running groups $USER (where $USER is your user name) lists video.

The ls -Z shows the selinux permissions on /dev/video0 are that the user needs to be a system user, the role is as an object, the type is v4l_device_t and mls is s0. You could try:

sudo chcon -u unconfined_u /dev/video0
sudo chcon -r unconfined_r /dev/video0
sudo chcon -t unconfined_t /dev/video0

And then see if you can open the device as a regular user. I think.

opalmirror gravatar imageopalmirror ( 2017-10-19 18:30:37 -0600 )edit

Question Tools

1 follower

Stats

Asked: 2017-10-18 08:37:58 -0600

Seen: 2,815 times

Last updated: Oct 18 '17