User Camera permission

I am trying to access the camera with opencv using the following script (tx1_mipi.py). I am able to access it when I run sudo python tx1_mipi.py, but not python tx1_mipi.py. How do I change the permission of the camera so that I don’t have to sudo…

import sys
import cv2

def read_cam():
cap = cv2.VideoCapture(“nvcamerasrc ! video/x-raw(memory:NVMM), width=(int)1920, height=(int)1080,format=(string)I420, framerate=(fraction)30/1 ! nvvidconv flip-method=0 ! video/x-raw, format=(string)BGRx ! videoconvert ! video/x-raw, format=(string)BGR ! appsink”)

if cap.isOpened():
    cv2.namedWindow("demo", cv2.WINDOW_AUTOSIZE)
    while True:
        ret_val, img = cap.read();
        cv2.imshow('demo',img)
        cv2.waitKey(10)
else:
 print "camera open failed"

cv2.destroyAllWindows()

if name == ‘main’:
read_cam()

When accessing the GPU any user with membership in group “video” is allowed without sudo. I do not know if this is the same for cameras, but I suspect so. The default users which are members of group “video” are “nvidia” and “ubuntu”. Are your camera operations using a different user? If so, add them to secondary group “video”…if not, then there may be a different group…"ls -l " could tell you what group that is when “” is the device special file in “/dev/” you are using for the camera.

Note that if the device group is not what you want, then it may be possible to change the device group itself using udev rules. This would be a bad idea for anything “/dev/video#”, but might be useful on other devices which are not standardized to a particular non-root group.

ls -l /dev/video0
crw-rw----+ 1 root video 81, 0 Jul 6 14:45 /dev/video0

I am assuming it is video 0 since the camera is running with this command
“gst-launch-1.0 nvcamerasrc fpsRange=“30.0 30.0” sensor-id=0 ! ‘video/x-raw(memory:NVMM), width=(int)1920, height=(int)1080, format=(string)I420, framerate=(fraction)30/1’ ! nvtee ! nvvidconv flip-method=2 ! ‘video/x-raw(memory:NVMM), format=(string)I420’ ! nvoverlaysink -e”

I had already added the user(Ubuntu) to video group

In that case you can rule out security stopping access for that particular device driver. It is possible that your python program accesses some other component on your system which is root-only access…the video device would not be blocking component since you are in group video. chmod would probably be required on the other components.

Consider that if gst-launch is permitted for your user, that the application may access plugins or modular functions in different files…if gst-launch directly accesses those files without using the system linker, then those individual files would need permission for access by user ubuntu. An example is a CODEC or other video format conversion module which is not directly built into gst-launch. I don’t know how to list what files gst-launch accesses as a module without a lot of work using strace (strace lists every single system call…a tiny program can have thousands of system calls in a matter of seconds). If it comes down to that it can be done, but perhaps someone else knows an easy way to list outside files accessed based on the gst-launch pipeline.

It’s pure speculation, I don’t know about how python deals with paths, but it might also be a PATH or LD_LIBRARY_PATH that may be set for root account but not for your current account.
If you can run gst-launch-1.0 as this user, I assume gstreamer libs are available (Note: why are you using nvtee in your pipeline ?), so I would look at opencv libraries path. For confirming this, can you run opencv functions without gstreamer ?
What gives (as both users):

cv2.__version__

cv2.version
‘3.2.0-dev’

Please note that I am running the script from the SD card. I was wondering if this could be the reason why we need Sudo?

Here is the procedure that I used to move the files to the SD card

#!/bin/bash

#sudo passwd root
#enter

#Connect to Outreach

sudo apt-get update
sudo apt-get install -y sudo nano resolvconf

sudo fdisk -l
#find the HUGE SD card. /etc/mmcblk1 on my TX1

#fstab is empty (which is atypical; don’t know why)
mkdir /home/ubuntu/SDcard
echo ‘/dev/mmcblk1p1 /home/ubuntu/SDcard ext4 rw,defaults 0 0’ | sudo tee --append /etc/fstab

chown ubuntu:ubuntu /home/ubuntu/SDcard

mkdir /home/ubuntu/SDcard/filesystem

#WARNING don’t run the following without being at root prompt!!

#When you have the pound sign ‘#’ prompt, you can continue with the following:

mv /var/cache /home/ubuntu/SDcard/filesystem
ln -s /home/ubuntu/SDcard/filesystem/cache /var/cache

mv /usr/local /home/ubuntu/SDcard/filesystem
ln -s /home/ubuntu/SDcard/filesystem/local /usr/local

mv /usr/lib /home/ubuntu/SDcard/filesystem
ln -s /home/ubuntu/SDcard/filesystem/lib /usr/lib

mv /usr/share /home/ubuntu/SDcard/filesystem
ln -s /home/ubuntu/SDcard/filesystem/share /usr/share

Whenever you run mkdir, be sure it isn’t sudo, that the new directory is owned by your regular user (check before mount, not after…you want your user owning the directory, not root). If you go one directory in from the mount point after the mount and use “touch testme” and “rm testme” and this succeeds, then it isn’t an SD card mount permission issue (you might also do this in the mount point directory if you access anything directly in that directory).

There are some cases where symbolic links are not followed for security reasons, though I don’t know if this is the case for what you’ve moved to SD (anything in a web server directory restricts this, but I doubt you’re work is linked to the web server; SElinux can also do this, but L4T does not enable SElinux). You might get logging of a security message in “dmesg --follow” or “sudo tail -f /var/log/syslog” which might hint at where the permission failure is.