[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#36335: Is /dev/kvm missing ACLs?
From: |
Chris Marusich |
Subject: |
bug#36335: Is /dev/kvm missing ACLs? |
Date: |
Tue, 09 Jul 2019 23:23:28 -0700 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) |
Ludovic Courtès <address@hidden> writes:
> Hi Chris,
>
> Chris Marusich <address@hidden> skribis:
>
>> Ludovic Courtès <address@hidden> writes:
>>
>>> Guix System doesn’t use ACLs at all.
>>>
>>> However, the udev rule for kvm sets it up like this:
>>>
>>> crw-rw---- 1 root kvm 10, 232 Jun 24 08:38 /dev/kvm
>>>
>>> and the build users are part of the ‘kvm’ group. I personally arrange
>>> to have my user account in that group too.
>>
>> It's good to know that the "kvm" group is the right way to grant
>> permissions. However, if Guix System doesn't use ACLs, then why do some
>> of my device files have ACLs on them, such as the video device file?
>>
>> $ getfacl /dev/video0
>> getfacl: Removing leading '/' from absolute path names
>> # file: dev/video0
>> # owner: root
>> # group: video
>> user::rw-
>> user:marusich:rw-
>> group::rw-
>> mask::rw-
>> other::---
>
> Good question, I see the same thing here.
>
> I suspected a udev rule but ‘grep’ didn’t find any that explicitly does
> that, and there’s no code in eudev that fiddles with ACLs either, and
> nothing obvious in devtmpfs.c in Linux. So… it’s a mystery.
>
> Ludo’.
Danny Milosavljevic <address@hidden> writes:
> On Thu, 27 Jun 2019 15:45:33 +0200
> Ludovic Courtès <address@hidden> wrote:
>
>> I suspected a udev rule but ‘grep’ didn’t find any that explicitly does
>> that, and there’s no code in eudev that fiddles with ACLs either, and
>> nothing obvious in devtmpfs.c in Linux. So… it’s a mystery.
>
> Might be elogind. It sets some ACLs on login.
Might be.
I am content knowing that on Guix System, the intended way to control
access to /dev/kvm is by using the "kvm" group. However, it still
smells like we may have an ACL-related bug: It seems to be unexpected
that ACLs are getting set for some devices (e.g., /dev/video0), but not
for others (e.g., /dev/kvm).
What do you think?
--
Chris
signature.asc
Description: PGP signature