Ludovic Courtès writes: > Hi Chris, > > Chris Marusich skribis: > >> Ludovic Courtès writes: >> >>> Guix System doesn’t use ACLs at all. >>> >>> However, the udev rule for kvm sets it up like this: >>> >>> crw-rw---- 1 root kvm 10, 232 Jun 24 08:38 /dev/kvm >>> >>> and the build users are part of the ‘kvm’ group. I personally arrange >>> to have my user account in that group too. >> >> It's good to know that the "kvm" group is the right way to grant >> permissions. However, if Guix System doesn't use ACLs, then why do some >> of my device files have ACLs on them, such as the video device file? >> >> $ getfacl /dev/video0 >> getfacl: Removing leading '/' from absolute path names >> # file: dev/video0 >> # owner: root >> # group: video >> user::rw- >> user:marusich:rw- >> group::rw- >> mask::rw- >> other::--- > > Good question, I see the same thing here. > > I suspected a udev rule but ‘grep’ didn’t find any that explicitly does > that, and there’s no code in eudev that fiddles with ACLs either, and > nothing obvious in devtmpfs.c in Linux. So… it’s a mystery. > > Ludo’. Danny Milosavljevic writes: > On Thu, 27 Jun 2019 15:45:33 +0200 > Ludovic Courtès wrote: > >> I suspected a udev rule but ‘grep’ didn’t find any that explicitly does >> that, and there’s no code in eudev that fiddles with ACLs either, and >> nothing obvious in devtmpfs.c in Linux. So… it’s a mystery. > > Might be elogind. It sets some ACLs on login. Might be. I am content knowing that on Guix System, the intended way to control access to /dev/kvm is by using the "kvm" group. However, it still smells like we may have an ACL-related bug: It seems to be unexpected that ACLs are getting set for some devices (e.g., /dev/video0), but not for others (e.g., /dev/kvm). What do you think? -- Chris