bug-guix
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#36335: Is /dev/kvm missing ACLs?


From: Chris Marusich
Subject: bug#36335: Is /dev/kvm missing ACLs?
Date: Tue, 09 Jul 2019 23:23:28 -0700
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux)

Ludovic Courtès <address@hidden> writes:

> Hi Chris,
>
> Chris Marusich <address@hidden> skribis:
>
>> Ludovic Courtès <address@hidden> writes:
>>
>>> Guix System doesn’t use ACLs at all.
>>>
>>> However, the udev rule for kvm sets it up like this:
>>>
>>>   crw-rw---- 1 root kvm 10, 232 Jun 24 08:38 /dev/kvm
>>>
>>> and the build users are part of the ‘kvm’ group.  I personally arrange
>>> to have my user account in that group too.
>>
>> It's good to know that the "kvm" group is the right way to grant
>> permissions.  However, if Guix System doesn't use ACLs, then why do some
>> of my device files have ACLs on them, such as the video device file?
>>
>> $ getfacl /dev/video0 
>> getfacl: Removing leading '/' from absolute path names
>> # file: dev/video0
>> # owner: root
>> # group: video
>> user::rw-
>> user:marusich:rw-
>> group::rw-
>> mask::rw-
>> other::---
>
> Good question, I see the same thing here.
>
> I suspected a udev rule but ‘grep’ didn’t find any that explicitly does
> that, and there’s no code in eudev that fiddles with ACLs either, and
> nothing obvious in devtmpfs.c in Linux.  So… it’s a mystery.
>
> Ludo’.

Danny Milosavljevic <address@hidden> writes:

> On Thu, 27 Jun 2019 15:45:33 +0200
> Ludovic Courtès <address@hidden> wrote:
>
>> I suspected a udev rule but ‘grep’ didn’t find any that explicitly does
>> that, and there’s no code in eudev that fiddles with ACLs either, and
>> nothing obvious in devtmpfs.c in Linux.  So… it’s a mystery.
>
> Might be elogind.  It sets some ACLs on login.

Might be.

I am content knowing that on Guix System, the intended way to control
access to /dev/kvm is by using the "kvm" group.  However, it still
smells like we may have an ACL-related bug: It seems to be unexpected
that ACLs are getting set for some devices (e.g., /dev/video0), but not
for others (e.g., /dev/kvm).

What do you think?

-- 
Chris

Attachment: signature.asc
Description: PGP signature


reply via email to

[Prev in Thread] Current Thread [Next in Thread]