From: Chris Marusich <cmmarusich@gmail.com>
To: "Ludovic Courtès" <ludo@gnu.org>
Cc: 36335@debbugs.gnu.org
Subject: bug#36335: Is /dev/kvm missing ACLs?
Date: Tue, 09 Jul 2019 23:23:28 -0700 [thread overview]
Message-ID: <87lfx6l867.fsf_-_@gmail.com> (raw)
In-Reply-To: <87sgrv16rm.fsf@gnu.org> ("Ludovic \=\?utf-8\?Q\?Court\=C3\=A8s\=22'\?\= \=\?utf-8\?Q\?s\?\= message of "Thu, 27 Jun 2019 15:45:33 +0200, Mon, 1 Jul 2019 10:41:14 +0200")
[-- Attachment #1: Type: text/plain, Size: 1992 bytes --]
Ludovic Courtès <ludo@gnu.org> writes:
> Hi Chris,
>
> Chris Marusich <cmmarusich@gmail.com> skribis:
>
>> Ludovic Courtès <ludo@gnu.org> writes:
>>
>>> Guix System doesn’t use ACLs at all.
>>>
>>> However, the udev rule for kvm sets it up like this:
>>>
>>> crw-rw---- 1 root kvm 10, 232 Jun 24 08:38 /dev/kvm
>>>
>>> and the build users are part of the ‘kvm’ group. I personally arrange
>>> to have my user account in that group too.
>>
>> It's good to know that the "kvm" group is the right way to grant
>> permissions. However, if Guix System doesn't use ACLs, then why do some
>> of my device files have ACLs on them, such as the video device file?
>>
>> $ getfacl /dev/video0
>> getfacl: Removing leading '/' from absolute path names
>> # file: dev/video0
>> # owner: root
>> # group: video
>> user::rw-
>> user:marusich:rw-
>> group::rw-
>> mask::rw-
>> other::---
>
> Good question, I see the same thing here.
>
> I suspected a udev rule but ‘grep’ didn’t find any that explicitly does
> that, and there’s no code in eudev that fiddles with ACLs either, and
> nothing obvious in devtmpfs.c in Linux. So… it’s a mystery.
>
> Ludo’.
Danny Milosavljevic <dannym@scratchpost.org> writes:
> On Thu, 27 Jun 2019 15:45:33 +0200
> Ludovic Courtès <ludo@gnu.org> wrote:
>
>> I suspected a udev rule but ‘grep’ didn’t find any that explicitly does
>> that, and there’s no code in eudev that fiddles with ACLs either, and
>> nothing obvious in devtmpfs.c in Linux. So… it’s a mystery.
>
> Might be elogind. It sets some ACLs on login.
Might be.
I am content knowing that on Guix System, the intended way to control
access to /dev/kvm is by using the "kvm" group. However, it still
smells like we may have an ACL-related bug: It seems to be unexpected
that ACLs are getting set for some devices (e.g., /dev/video0), but not
for others (e.g., /dev/kvm).
What do you think?
--
Chris
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]
next prev parent reply other threads:[~2019-07-10 6:24 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-23 4:20 bug#36335: Is /dev/kvm missing ACLs? Chris Marusich
2019-06-24 19:54 ` Ludovic Courtès
2019-06-27 6:32 ` Chris Marusich
2019-06-27 13:45 ` Ludovic Courtès
2019-07-01 8:41 ` Danny Milosavljevic
2019-07-10 6:23 ` Chris Marusich [this message]
2019-07-10 17:10 ` Ludovic Courtès
2019-07-11 7:18 ` Danny Milosavljevic
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87lfx6l867.fsf_-_@gmail.com \
--to=cmmarusich@gmail.com \
--cc=36335@debbugs.gnu.org \
--cc=ludo@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).