Bug 52227

Summary: add separate group for generic usb devices
Product: systemd Reporter: Radek Podgorny <radek>
Component: generalAssignee: systemd-bugs
Status: RESOLVED WONTFIX QA Contact: systemd-bugs
Severity: minor    
Priority: medium    
Version: unspecified   
Hardware: All   
OS: All   
Whiteboard:
i915 platform: i915 features:

Description Radek Podgorny 2012-07-18 10:09:43 UTC 
...as taken from my arch linux feature request (https://bugs.archlinux.org/task/30731):

i think it would be a good idea to have a separate group for usb devices which do not fall into camera/scanner/storage/... category. in my case i'm talking about a usbtiny mcu programmer and usb-connected oscilloscope but i'm sure there are gazillions of other devices.

sure i can add myself to "root" group and gain access to ALL devices but i think "usb" group would be a cleaner solution. as a side note, gentoo has it and it works pretty well... ;-)

thanks for considering it!
Comment 1 Radek Podgorny 2012-07-18 11:57:31 UTC 
...or maybe a "plugdev" group?
Comment 2 Kay Sievers 2012-07-18 12:15:53 UTC 
"plugdev" is an entirely misguided and fundamentally wrong concept, this
will not happen for systemd/udev. Device access groups are for system
services, _never_ for ordinary users. Systems who do that do it wrong at
many levels.

Ordinaru users get ACLs assigned, depending on the way the log into the
system, and the state of the session, and that is dynamic and adaptive,
unlike groups.

I have no problem with "usb" for raw usb device nodes, but "plugdev" as a
group name and especially as a "concept" should just die, it's totally broken.
Comment 3 Radek Podgorny 2012-07-18 22:00:44 UTC 
well, that kind of makes sense but let me ask you these, probably silly, questions:

what acls do you mean exactly? the "standard" filesystem acls (as in ext4 etc.)? never heard of it for device files.

who should be assigning those acls (and/or other permissions) based on session state etc.? things like polkit/consolekit/whatever-kit? sorry again, never used it (always loved plain old udev simplicity) so i really don't know (and yes, i've tried to google it but didn't succeed).

please, give me some hints on what to read and/or what to search for... thank you!
Comment 4 Kay Sievers 2012-07-18 23:35:06 UTC 
(In reply to comment #3)
> what acls do you mean exactly? the "standard" filesystem acls (as in ext4
> etc.)? never heard of it for device files.

Yeah, filesystem ACLs on device nodes in /dev.

Like this:
  $ getfacl /dev/dri/card0 
  # file: dev/dri/card0
  # owner: root
  # group: video
  user::rw-
  user:kay:rw-
  group::rw-
  mask::rw-
  other::---

> who should be assigning those acls (and/or other permissions) based on session
> state etc.?

We do this since many years, almost every distro.

> things like polkit/consolekit/whatever-kit? sorry again, never used
> it (always loved plain old udev simplicity) so i really don't know (and yes,
> i've tried to google it but didn't succeed).

It was udev-acl with ConsoleKit data, now it's all in systemd.

> please, give me some hints on what to read and/or what to search for... thank
> you!

http://cgit.freedesktop.org/systemd/systemd/tree/src/login/70-uaccess.rules

Old udev was here:
http://git.kernel.org/?p=linux/hotplug/udev.git;a=blob;f=src/extras/udev-acl/70-udev-acl.rules;h=2dac283101aee6ef75f2e1e397d6d91c3a4c92c1;hb=f13289ffdf077f75c8710e977ffe538b66885762
Comment 5 Zbigniew Jedrzejewski-Szmek 2013-08-25 03:00:28 UTC 
So, is there anything to fix here?
Comment 6 Kay Sievers 2013-09-12 18:33:23 UTC 
Closing, at the moment we don't see the need for bus-specific unix groups
on the system. We should limit the use of groups to classes of devices, like
video, audio, disk, not the type of connection they use.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.