On Ubuntu Core raspi2 here, /dev/fb0 has the following permissions:
$ getfacl /dev/fb0
getfacl: Removing leading '/' from absolute path names
# file: dev/fb0
# owner: root
# group: video
user::rw-
group::rw-
other::---
The problem is that the user is not in the ‘video’ group and because /etc/group is read-only and the way extrausers database works, you can’t add the Ubuntu Core user to it. systemd’s uaccess (formerly udev’s udev-acls) is also used for permissions, but isn’t used with the framebuffer as seen here:
$ udevadm info /dev/fb0
...
E: DEVNAME=/dev/fb0
...
E: SUBSYSTEM=graphics
E: TAGS=:seat:master-of-seat:
...
The device is missing the ‘uaccess’ tag and so the user is not allowed to use it. All this is discussed extensively in use case 2 of Multiple users and groups in snaps. The proposed design will support having snapd manage groups and udev rules so that you can then add users to these snapd-managed groups.
Today, you can workaround the missing feature by:
- creating a group in the ‘extrausers’ db. Eg:
sudo groupadd --extrausers --system my_fb - create a udev rule in /etc/udev/rules.d/99-my_fb.rules:
KERNEL=="fb[0-9]*", RUN+="/usr/bin/setfacl -m g:my_fb:rw $devnode" - apply the rules:
sudo udevadm control --reload-rules && sudo udevadm trigger /dev/fb0
(to remove the acl, use ‘sudo setfacl -x g:my_fb /dev/fb*’ and the rules file so it isn’t added back on reboot).
Now when you look at the acls, my_fb is listed:
$ getfacl /dev/fb0
getfacl: Removing leading '/' from absolute path names
# file: dev/fb0
# owner: root
# group: video
user::rw-
group::rw-
group:my_fb:rw-
mask::rw-
other::---
While you should be able to now use ‘sudo adduser --extrausers <user> my_fb’ or ‘sudo usermod --extrausers -a -G my_db <user>’, neither of these work currently, but you can adjust /var/lib/extrausers/group to change this:
my_fb:x:999:
to:
my_fb:x:999:<your username>
Now logout and back in (or run sg my_fb) and you are a member of this group:
$ id
uid=1000(username) gid=1000(username) groups=1000(username),999(my_fb)
You will now be able to access the device. Eg, before all the above changes:
$ head -1 /dev/fb0
head: cannot open '/dev/fb0' for reading: Permission denied
and after:
$ head -1 /dev/fb0
<binary output>...
$
Good luck!