Received: (at 36335) by debbugs.gnu.org; 11 Jul 2019 07:18:16 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Thu Jul 11 03:18:16 2019 Received: from localhost ([127.0.0.1]:36984 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1hlTLM-00027P-EJ for submit <at> debbugs.gnu.org; Thu, 11 Jul 2019 03:18:16 -0400 Received: from dd26836.kasserver.com ([85.13.145.193]:56786) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <dannym@HIDDEN>) id 1hlTLK-00027H-QW for 36335 <at> debbugs.gnu.org; Thu, 11 Jul 2019 03:18:15 -0400 Received: from localhost (77.116.204.226.wireless.dyn.drei.com [77.116.204.226]) by dd26836.kasserver.com (Postfix) with ESMTPSA id 39AA9336181B; Thu, 11 Jul 2019 09:18:11 +0200 (CEST) Date: Thu, 11 Jul 2019 09:18:07 +0200 From: Danny Milosavljevic <dannym@HIDDEN> To: Ludovic =?ISO-8859-1?Q?Court=E8s?= <ludo@HIDDEN> Subject: Re: bug#36335: Is /dev/kvm missing ACLs? Message-ID: <20190711091807.679799f6@HIDDEN> In-Reply-To: <87o921zuhh.fsf@HIDDEN> References: <87sgs1c4r0.fsf@HIDDEN> <87v9wu4v3l.fsf@HIDDEN> <87d0izlere.fsf@HIDDEN> <87sgs1c4r0.fsf@HIDDEN> <87v9wu4v3l.fsf@HIDDEN> <87d0izlere.fsf@HIDDEN> <87sgrv16rm.fsf@HIDDEN> <87sgrv16rm.fsf@HIDDEN> <87lfx6l867.fsf_-_@HIDDEN> <87o921zuhh.fsf@HIDDEN> X-Mailer: Claws Mail 3.17.3 (GTK+ 2.24.32; x86_64-unknown-linux-gnu) MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; boundary="Sig_/v=t9PLxEDbvxY.HcQHvhMLm"; protocol="application/pgp-signature" X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 36335 Cc: 36335 <at> debbugs.gnu.org, Chris Marusich <cmmarusich@HIDDEN> X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.7 (-) --Sig_/v=t9PLxEDbvxY.HcQHvhMLm Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable auditd can find those acl setters :) # auditctl -w /dev/kvm -p a -k kvm-acl-setter-foo Later on: # ausearch -k kvm-acl-setter-foo --Sig_/v=t9PLxEDbvxY.HcQHvhMLm Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEds7GsXJ0tGXALbPZ5xo1VCwwuqUFAl0m4q8ACgkQ5xo1VCww uqWNTQf/TOsdDmK9XFT7iDP+MUNQzIYwFOGHl/uhzg+Wc9qpzz2E2tI5SPutunuJ dUlzVih5XbzqsHKSexDGnAOidAmINpWcmZ7w+r7WVH0kZrl6QV9iF6D/GYsk6jmZ 4tjvaWTsZX/wmfvwRPxiKfVeXV221aIuG4Y2fPY8/SjQZqfrFR6mxEQhJ49TpNZS Nl7xVbH85s79ge+fS4j0Y3r0prP7tDtF/URkeUtJEr4GbMMXUlsHeiETXrJqGWFR TX1knyrZsN3dYEUXZWFVKVvI6rqrpEFqrrEEjTG9yjOCaFBZQosw9KxHr3UdPAID 0ZxGnWN1yVSodsAremXc3RQFb7tS9A== =g4wp -----END PGP SIGNATURE----- --Sig_/v=t9PLxEDbvxY.HcQHvhMLm--
bug-guix@HIDDEN:bug#36335; Package guix.
Full text available.Received: (at 36335) by debbugs.gnu.org; 10 Jul 2019 17:10:22 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Wed Jul 10 13:10:22 2019 Received: from localhost ([127.0.0.1]:36517 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1hlG6n-00017d-1V for submit <at> debbugs.gnu.org; Wed, 10 Jul 2019 13:10:22 -0400 Received: from eggs.gnu.org ([209.51.188.92]:60263) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <ludo@HIDDEN>) id 1hlG6l-00017Q-CK for 36335 <at> debbugs.gnu.org; Wed, 10 Jul 2019 13:10:19 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:47949) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <ludo@HIDDEN>) id 1hlG6f-0007rb-RK; Wed, 10 Jul 2019 13:10:13 -0400 Received: from [81.18.188.212] (port=57586 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from <ludo@HIDDEN>) id 1hlG6b-0005EU-MZ; Wed, 10 Jul 2019 13:10:13 -0400 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN> To: Chris Marusich <cmmarusich@HIDDEN> Subject: Re: bug#36335: Is /dev/kvm missing ACLs? References: <87sgs1c4r0.fsf@HIDDEN> <87v9wu4v3l.fsf@HIDDEN> <87d0izlere.fsf@HIDDEN> <87sgs1c4r0.fsf@HIDDEN> <87v9wu4v3l.fsf@HIDDEN> <87d0izlere.fsf@HIDDEN> <87sgrv16rm.fsf@HIDDEN> <87sgrv16rm.fsf@HIDDEN> <87lfx6l867.fsf_-_@HIDDEN> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 22 Messidor an 227 de la =?utf-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Wed, 10 Jul 2019 19:10:02 +0200 In-Reply-To: <87lfx6l867.fsf_-_@HIDDEN> (Chris Marusich's message of "Tue, 09 Jul 2019 23:23:28 -0700") Message-ID: <87o921zuhh.fsf@HIDDEN> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 36335 Cc: Danny Milosavljevic <dannym@HIDDEN>, 36335 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -3.3 (---) Hi, Chris Marusich <cmmarusich@HIDDEN> skribis: > I am content knowing that on Guix System, the intended way to control > access to /dev/kvm is by using the "kvm" group. However, it still > smells like we may have an ACL-related bug: It seems to be unexpected > that ACLs are getting set for some devices (e.g., /dev/video0), but not > for others (e.g., /dev/kvm). > > What do you think? I agree. I=E2=80=99d like to have a definite answer as to where these come from; elogind was suspect #1 but I haven=E2=80=99t found anything conclusiv= e. Ludo=E2=80=99.
bug-guix@HIDDEN:bug#36335; Package guix.
Full text available.
Received: (at 36335) by debbugs.gnu.org; 10 Jul 2019 06:23:41 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Jul 10 02:23:40 2019
Received: from localhost ([127.0.0.1]:34755 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1hl60y-0001YO-Ks
for submit <at> debbugs.gnu.org; Wed, 10 Jul 2019 02:23:40 -0400
Received: from mail-pg1-f182.google.com ([209.85.215.182]:34963)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <cmmarusich@HIDDEN>) id 1hl60v-0001Y9-UF
for 36335 <at> debbugs.gnu.org; Wed, 10 Jul 2019 02:23:39 -0400
Received: by mail-pg1-f182.google.com with SMTP id s27so710502pgl.2
for <36335 <at> debbugs.gnu.org>; Tue, 09 Jul 2019 23:23:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
h=from:to:cc:subject:references:date:in-reply-to:message-id
:user-agent:mime-version;
bh=nRX77cVHeJ0RhJGjyTJZxxWkKYIzUlfWbH5zlMTtW7Q=;
b=NM6rYJYaIrpCc+cWheI5+gCFDdE+qr62aQzZ48b3SG+Q20PPkbxfBLGqbOY5b/U4RS
BSmRA2qL+XE9cMb8kFq46u0P5wyXbWu/uHqQKfXTDL3ZxHypQFepTowdvwsqaKB+7ZtK
mDULnNNqUoDa3vC3a3iYQ5vLZvVAyHc+b/KLN7Y1cTu5PL+5WCRY/3LKDqqnwLWOeJz0
95NHjIgiDZ1A2Uasskd2pFA8RKMz8fnzsEzUdkaQIjOngiWaZn4mlLyCKfPGlXxEQhdz
OANwSZYtAZwnaWjq4pXQq9S7t4Dl52RJLsw8c7L2RkpxrdEfaTX7/s+pqAKYY1H2OS4l
adjg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to
:message-id:user-agent:mime-version;
bh=nRX77cVHeJ0RhJGjyTJZxxWkKYIzUlfWbH5zlMTtW7Q=;
b=RD0dIHjAaa8a36I84XiMTG7bXYX1GMUo/2LjnkBYZHHUr4eQaeO4ZHouYFlG5xNXhU
KuM4mc5e4B3lCZRD1iXO3DdcEY34XKquC/CKe94S+ReRpF0srMoNhwBYJlVu99I+Nond
aYiLjWqtGsVTpOE4zhXnv1qjX7+lrMsp7mZ3x5ROd3yifIrzTAOsz2/wSJGNhXizoyq7
0mcj0Y0qIgTUHEpvsf4ShrHRPw2vKg+kTQEExzgtZzARh5P5xD+9UmSkjAbVYSaoCRN6
v/XKH68amNGRKqZVDuJienVrspnlic9GMZocOpxXDjBt1sg068nbNNsLeyWvpWI+BNNE
O29g==
X-Gm-Message-State: APjAAAUhhJSqdJ9LIHJwdq1XygcKUPRBT8sxn15WqzfaAIQkPYJ1++7b
mjOtWH3FjRLrUVX2Gcb2lU5uMGvQ
X-Google-Smtp-Source: APXvYqyPfhl+KB1fwZaslkPZWDllSYh/QFYwUSZwRtwkxTPEztr8yopO2CAISN9k3GSvQ5f3Gu688A==
X-Received: by 2002:a63:fd0d:: with SMTP id d13mr36235557pgh.423.1562739811357;
Tue, 09 Jul 2019 23:23:31 -0700 (PDT)
Received: from garuda.local ([2601:601:9d80:25b2::d12])
by smtp.gmail.com with ESMTPSA id s193sm2064275pgc.32.2019.07.09.23.23.29
(version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
Tue, 09 Jul 2019 23:23:30 -0700 (PDT)
From: Chris Marusich <cmmarusich@HIDDEN>
To: Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
Subject: Re: bug#36335: Is /dev/kvm missing ACLs?
References: <87sgs1c4r0.fsf@HIDDEN> <87v9wu4v3l.fsf@HIDDEN>
<87d0izlere.fsf@HIDDEN> <87sgs1c4r0.fsf@HIDDEN>
<87v9wu4v3l.fsf@HIDDEN> <87d0izlere.fsf@HIDDEN>
<87sgrv16rm.fsf@HIDDEN> <87sgrv16rm.fsf@HIDDEN>
Date: Tue, 09 Jul 2019 23:23:28 -0700
In-Reply-To: <87sgrv16rm.fsf@HIDDEN> ("Ludovic
\=\?utf-8\?Q\?Court\=C3\=A8s\=22'\?\=
\=\?utf-8\?Q\?s\?\= message of "Thu, 27
Jun 2019 15:45:33 +0200, Mon, 1 Jul 2019 10:41:14 +0200")
Message-ID: <87lfx6l867.fsf_-_@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
micalg=pgp-sha256; protocol="application/pgp-signature"
X-Spam-Score: 1.3 (+)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: Ludovic Courtès writes: > Hi Chris, > > Chris Marusich skribis:
> >> Ludovic Courtès writes: >> >>> Guix System doesn’t use ACLs at all.
>>> >>> However, the udev rule for kvm sets it up like this: >>> >>> crw-rw----
[...]
Content analysis details: (1.3 points, 10.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was
blocked. See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: scratchpost.org]
-0.0 SPF_PASS SPF: sender matches SPF record
0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail
provider (cmmarusich[at]gmail.com)
0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/,
no trust
[209.85.215.182 listed in list.dnswl.org]
1.3 PDS_NO_HELO_DNS High profile HELO but no A record
X-Debbugs-Envelope-To: 36335
Cc: Danny Milosavljevic <dannym@HIDDEN>, 36335 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: 0.3 (/)
--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Ludovic Court=C3=A8s <ludo@HIDDEN> writes:
> Hi Chris,
>
> Chris Marusich <cmmarusich@HIDDEN> skribis:
>
>> Ludovic Court=C3=A8s <ludo@HIDDEN> writes:
>>
>>> Guix System doesn=E2=80=99t use ACLs at all.
>>>
>>> However, the udev rule for kvm sets it up like this:
>>>
>>> crw-rw---- 1 root kvm 10, 232 Jun 24 08:38 /dev/kvm
>>>
>>> and the build users are part of the =E2=80=98kvm=E2=80=99 group. I per=
sonally arrange
>>> to have my user account in that group too.
>>
>> It's good to know that the "kvm" group is the right way to grant
>> permissions. However, if Guix System doesn't use ACLs, then why do some
>> of my device files have ACLs on them, such as the video device file?
>>
>> $ getfacl /dev/video0=20
>> getfacl: Removing leading '/' from absolute path names
>> # file: dev/video0
>> # owner: root
>> # group: video
>> user::rw-
>> user:marusich:rw-
>> group::rw-
>> mask::rw-
>> other::---
>
> Good question, I see the same thing here.
>
> I suspected a udev rule but =E2=80=98grep=E2=80=99 didn=E2=80=99t find an=
y that explicitly does
> that, and there=E2=80=99s no code in eudev that fiddles with ACLs either,=
and
> nothing obvious in devtmpfs.c in Linux. So=E2=80=A6 it=E2=80=99s a myste=
ry.
>
> Ludo=E2=80=99.
Danny Milosavljevic <dannym@HIDDEN> writes:
> On Thu, 27 Jun 2019 15:45:33 +0200
> Ludovic Court=C3=A8s <ludo@HIDDEN> wrote:
>
>> I suspected a udev rule but =E2=80=98grep=E2=80=99 didn=E2=80=99t find a=
ny that explicitly does
>> that, and there=E2=80=99s no code in eudev that fiddles with ACLs either=
, and
>> nothing obvious in devtmpfs.c in Linux. So=E2=80=A6 it=E2=80=99s a myst=
ery.
>
> Might be elogind. It sets some ACLs on login.
Might be.
I am content knowing that on Guix System, the intended way to control
access to /dev/kvm is by using the "kvm" group. However, it still
smells like we may have an ACL-related bug: It seems to be unexpected
that ACLs are getting set for some devices (e.g., /dev/video0), but not
for others (e.g., /dev/kvm).
What do you think?
=2D-=20
Chris
--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEy/WXVcvn5+/vGD+x3UCaFdgiRp0FAl0lhGAACgkQ3UCaFdgi
Rp3zIhAAg6dbHuIm1A6R2ExdkV4HFoKp3RWx7hwns8uNTwYQAMhd4myUpqPd1ArL
mDcF6r1sRHXJGH1O1RyBQTybOmkTXDo6Xu9d7793SDkNH0IkdtDi6lG8FFTKa5Vb
+BUwLI/Ec0PKw64XM1d3IxKM7TTnOmR6GyPadSx1ymjHQI39dnl8YBsg+9iQHRqx
llD9Tyt4gxcDEHvxEBlqOYyqFxSCMlnWEQKnm5yXwr81HeLm1v4QySr9CTWy2ML6
KN12G6FuI7d7ORa4J7IXN9hlwvZig7yLOAbFuxKYeSuGzZbrHRlKffmecFekduvC
PlHUx9MvuHoeAGvPgKF+blDDjV2odL6gtAMjeAbwJ2Hl4q/NELgZhhJ2rTVFTBIV
F0aU/oTl7DKHjfWXwdcyQdlfg/d2R8xGSdlJyoPvgUWq8U/PnL39xQ3IDw8vkLum
BLshfhzPmHKFlOmfaLlWv8Sz4j+WiJrJPZ0Yvk24ZEUjofYMEHIVq0ftL9y0boe3
c6tNIHZyAbhQm1oa0gLj/tHmo8752QDY64p64Fr3tRX/NAIGmkcpG9fas4ypniog
MS+kwbL6eo7rB+FaH3lS4/IIs/r6ybgWDUcPnpkhqLJJikKZScwgfm8d3rcH0E01
oSZpzHKzFLQgGqIOdogK8rYyieFwUBjtBpuDGfRnuq7v8Y2hI0M=
=etO6
-----END PGP SIGNATURE-----
--=-=-=--
bug-guix@HIDDEN:bug#36335; Package guix.
Full text available.Received: (at 36335) by debbugs.gnu.org; 1 Jul 2019 08:41:26 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Mon Jul 01 04:41:26 2019 Received: from localhost ([127.0.0.1]:47662 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1hhrsM-0003l9-I9 for submit <at> debbugs.gnu.org; Mon, 01 Jul 2019 04:41:26 -0400 Received: from dd26836.kasserver.com ([85.13.145.193]:48204) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <dannym@HIDDEN>) id 1hhrsK-0003l0-JR for 36335 <at> debbugs.gnu.org; Mon, 01 Jul 2019 04:41:25 -0400 Received: from localhost (unknown [185.17.13.127]) by dd26836.kasserver.com (Postfix) with ESMTPSA id 2363F33675E6; Mon, 1 Jul 2019 10:41:23 +0200 (CEST) Date: Mon, 1 Jul 2019 10:41:14 +0200 From: Danny Milosavljevic <dannym@HIDDEN> To: Ludovic =?ISO-8859-1?Q?Court=E8s?= <ludo@HIDDEN> Subject: Re: bug#36335: Is /dev/kvm missing ACLs? Message-ID: <20190701104114.0d0aca46@HIDDEN> In-Reply-To: <87sgrv16rm.fsf@HIDDEN> References: <87sgs1c4r0.fsf@HIDDEN> <87v9wu4v3l.fsf@HIDDEN> <87d0izlere.fsf@HIDDEN> <87sgrv16rm.fsf@HIDDEN> X-Mailer: Claws Mail 3.17.3 (GTK+ 2.24.32; x86_64-unknown-linux-gnu) MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; boundary="Sig_/5LvMGATds7=.rj=6uU6k2zk"; protocol="application/pgp-signature" X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 36335 Cc: 36335 <at> debbugs.gnu.org, Chris Marusich <cmmarusich@HIDDEN> X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.7 (-) --Sig_/5LvMGATds7=.rj=6uU6k2zk Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On Thu, 27 Jun 2019 15:45:33 +0200 Ludovic Court=C3=A8s <ludo@HIDDEN> wrote: > I suspected a udev rule but =E2=80=98grep=E2=80=99 didn=E2=80=99t find an= y that explicitly does > that, and there=E2=80=99s no code in eudev that fiddles with ACLs either,= and > nothing obvious in devtmpfs.c in Linux. So=E2=80=A6 it=E2=80=99s a myste= ry. Might be elogind. It sets some ACLs on login. --Sig_/5LvMGATds7=.rj=6uU6k2zk Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEds7GsXJ0tGXALbPZ5xo1VCwwuqUFAl0ZxyoACgkQ5xo1VCww uqUNMQf5AUKYuUZigE1cx2lJR6Zc7kaSqXmrKmdrcObWh0ekKECd5x6805XbkSMQ +jczH1z5SfbvamIGRUHV9/zPkkxjmqMQujrKiQskx4SF95J7/0Z9WtGDvEhMU0RA tZte6SzpO+mU6uZI2zIl0o/CTh6Zv3xzwWLqF+L99xWza9NRxoa3f2NZeoHCMFU6 nFeAP5LJ2dbBemo+MTZoI2LvE9cnd595QjU0k/QMwS7DLyvyQ1gKnToPQR5gyoWh buDQ5lzWfDY/c2aDFNTjTTrssNw8xSbQIT/QZg+WDaKrWeF2bwqHHNEckp9l6hai 8K/bfmDKHal1LNwHbZ/IHHT6EH62Zg== =wTZy -----END PGP SIGNATURE----- --Sig_/5LvMGATds7=.rj=6uU6k2zk--
bug-guix@HIDDEN:bug#36335; Package guix.
Full text available.Received: (at 36335) by debbugs.gnu.org; 27 Jun 2019 13:45:44 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Thu Jun 27 09:45:44 2019 Received: from localhost ([127.0.0.1]:37684 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1hgUie-0000sI-D2 for submit <at> debbugs.gnu.org; Thu, 27 Jun 2019 09:45:44 -0400 Received: from eggs.gnu.org ([209.51.188.92]:32798) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <ludo@HIDDEN>) id 1hgUib-0000s4-Nb for 36335 <at> debbugs.gnu.org; Thu, 27 Jun 2019 09:45:42 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:50550) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <ludo@HIDDEN>) id 1hgUiW-00005m-H6; Thu, 27 Jun 2019 09:45:36 -0400 Received: from [2001:660:6102:320:e120:2c8f:8909:cdfe] (port=45348 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from <ludo@HIDDEN>) id 1hgUiV-00022A-Kl; Thu, 27 Jun 2019 09:45:36 -0400 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN> To: Chris Marusich <cmmarusich@HIDDEN> Subject: Re: bug#36335: Is /dev/kvm missing ACLs? References: <87sgs1c4r0.fsf@HIDDEN> <87v9wu4v3l.fsf@HIDDEN> <87d0izlere.fsf@HIDDEN> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 9 Messidor an 227 de la =?utf-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Thu, 27 Jun 2019 15:45:33 +0200 In-Reply-To: <87d0izlere.fsf@HIDDEN> (Chris Marusich's message of "Wed, 26 Jun 2019 23:32:37 -0700") Message-ID: <87sgrv16rm.fsf@HIDDEN> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 36335 Cc: 36335 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -3.3 (---) Hi Chris, Chris Marusich <cmmarusich@HIDDEN> skribis: > Ludovic Court=C3=A8s <ludo@HIDDEN> writes: > >> Guix System doesn=E2=80=99t use ACLs at all. >> >> However, the udev rule for kvm sets it up like this: >> >> crw-rw---- 1 root kvm 10, 232 Jun 24 08:38 /dev/kvm >> >> and the build users are part of the =E2=80=98kvm=E2=80=99 group. I pers= onally arrange >> to have my user account in that group too. > > It's good to know that the "kvm" group is the right way to grant > permissions. However, if Guix System doesn't use ACLs, then why do some > of my device files have ACLs on them, such as the video device file? > > $ getfacl /dev/video0=20 > getfacl: Removing leading '/' from absolute path names > # file: dev/video0 > # owner: root > # group: video > user::rw- > user:marusich:rw- > group::rw- > mask::rw- > other::--- Good question, I see the same thing here. I suspected a udev rule but =E2=80=98grep=E2=80=99 didn=E2=80=99t find any = that explicitly does that, and there=E2=80=99s no code in eudev that fiddles with ACLs either, a= nd nothing obvious in devtmpfs.c in Linux. So=E2=80=A6 it=E2=80=99s a mystery. Ludo=E2=80=99.
bug-guix@HIDDEN:bug#36335; Package guix.
Full text available.
Received: (at 36335) by debbugs.gnu.org; 27 Jun 2019 06:32:48 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Jun 27 02:32:47 2019
Received: from localhost ([127.0.0.1]:37322 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1hgNxf-0000VF-LD
for submit <at> debbugs.gnu.org; Thu, 27 Jun 2019 02:32:47 -0400
Received: from mail-pg1-f181.google.com ([209.85.215.181]:35151)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <cmmarusich@HIDDEN>) id 1hgNxe-0000V4-RY
for 36335 <at> debbugs.gnu.org; Thu, 27 Jun 2019 02:32:47 -0400
Received: by mail-pg1-f181.google.com with SMTP id s27so534868pgl.2
for <36335 <at> debbugs.gnu.org>; Wed, 26 Jun 2019 23:32:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
h=from:to:cc:subject:references:date:in-reply-to:message-id
:user-agent:mime-version;
bh=HkUJggzDxUY2pUEqRyB2BVWt8DNJQDmd+aMOqazIhXM=;
b=fnflZny/dMKTS86TJcGSH8DN//N/Bzhe7ZhnLdOFBxWIOni4m2f4eOemjZlp48ywfA
kYEOWKCcKDJOA5fyNcdKny+YI2fQPbvQbSJVw9PT9zGvrQcrujF1OuTiPy+ajaDgRPZc
Nk9RKvfT6zw3yRfOXYhlbS3XwdXPi/k4L2td6qM3Uopcm5xNGRNFCytSVZqQq9rf2iy4
yylO1mxyI+KFLb02xNTjMgw8xa+H1JTfyA0+Xyfm3i9fHBV57sj8l5c5S2f6yTMhgeVD
n6qAPLa+kbjG5PCQxVJfRkX4dD864fKukU6ex9MLohJYHCmNW7FkWURCKF5HNIaAK42s
qIVA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to
:message-id:user-agent:mime-version;
bh=HkUJggzDxUY2pUEqRyB2BVWt8DNJQDmd+aMOqazIhXM=;
b=Fx72oL4og1PcQw8taKrs76jJXVAe8qiOI/EvJdpdRgf2Cnhl7FyKAOlHsTMYoFqbvb
ijLiQTCrMUJ1wZij8iwoOAU6QxiOizRWV+8IJv1V0G324F00D1lWH/g43pBgczmmSkIQ
l3Ts4UYcC4aepKvoFcYVzCUAb4KAZzequeHL0U+LZ9HyLStSKx3edAaSW5O06nvqE4PH
DMUrplhNCGkQFX6/Hbg+CjMUUxRfCGGDtdwKOQqPySrfszJRglyNJou8S3lIw/MJ20uP
ba/irtk7bpPLNvKpZ7t7jNGPqZ7wuqtGbmqnesxrftAkr3p3MdYGBF8o8WLGqSf/jm46
Tv8Q==
X-Gm-Message-State: APjAAAXi2BQcBvbhKfTGYAf2MUZT8MB6/+Qiwza4IwXKJno8HQO6z9mS
klYXbb4Ub7Jq4FPdpswent8o/sk7
X-Google-Smtp-Source: APXvYqxXXwXieYkGFiGzbC8Dlu8ZiUJ6GY4DHgp/Tl5TbzZsgSkhXy9tAJcyFA1vxQiEdwV/+lZpdQ==
X-Received: by 2002:a65:4348:: with SMTP id k8mr2171723pgq.219.1561617160418;
Wed, 26 Jun 2019 23:32:40 -0700 (PDT)
Received: from garuda.local ([2601:601:9d80:25b2::d12])
by smtp.gmail.com with ESMTPSA id t25sm966832pgv.30.2019.06.26.23.32.39
(version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
Wed, 26 Jun 2019 23:32:39 -0700 (PDT)
From: Chris Marusich <cmmarusich@HIDDEN>
To: Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
Subject: Re: bug#36335: Is /dev/kvm missing ACLs?
References: <87sgs1c4r0.fsf@HIDDEN> <87v9wu4v3l.fsf@HIDDEN>
Date: Wed, 26 Jun 2019 23:32:37 -0700
In-Reply-To: <87v9wu4v3l.fsf@HIDDEN> ("Ludovic
\=\?utf-8\?Q\?Court\=C3\=A8s\=22'\?\=
\=\?utf-8\?Q\?s\?\= message of "Mon, 24 Jun 2019 21:54:54 +0200")
Message-ID: <87d0izlere.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
micalg=pgp-sha256; protocol="application/pgp-signature"
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 36335
Cc: 36335 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)
--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Hi Ludo,
Ludovic Court=C3=A8s <ludo@HIDDEN> writes:
> Guix System doesn=E2=80=99t use ACLs at all.
>
> However, the udev rule for kvm sets it up like this:
>
> crw-rw---- 1 root kvm 10, 232 Jun 24 08:38 /dev/kvm
>
> and the build users are part of the =E2=80=98kvm=E2=80=99 group. I perso=
nally arrange
> to have my user account in that group too.
It's good to know that the "kvm" group is the right way to grant
permissions. However, if Guix System doesn't use ACLs, then why do some
of my device files have ACLs on them, such as the video device file?
=2D-8<---------------cut here---------------start------------->8---
$ getfacl /dev/video0=20
getfacl: Removing leading '/' from absolute path names
# file: dev/video0
# owner: root
# group: video
user::rw-
user:marusich:rw-
group::rw-
mask::rw-
other::---
=2D-8<---------------cut here---------------end--------------->8---
=2D-=20
Chris
--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEy/WXVcvn5+/vGD+x3UCaFdgiRp0FAl0UYwYACgkQ3UCaFdgi
Rp1dfxAAsK8bU+YALhclhjKNCJ6RiYbNK4PEMwnxtzpakqLyPAFc6y8fB3hpUge8
S+Pbgiz4LuSBY4iJQ/ZPSRHtyS4BtlmxLOEBe2opf7acXhXup1CelMk/RSHysIT6
sotZu1DhGJZliFsG8ksCjpJi17UCleBDNpIOOudzVZ5qf9oykuhIUh+4n05j8pX0
JXY+R5rfeaTPYBuqP1M4y0byk5ugwmIghh9Zbmq8hOOVg8Nbzj7hwD3CTtO8a3PJ
IhHvN0H7xXJIgzQtgJIkd1zG7mGXWwKdsZLgeDrEvOmWdEHac5+c2qxcnjRWViGM
GZsUWSYa+jlUXQLlM9JgtVpLXIZSK6DwdyK21J4gH5eYka8MRvBcRotk1lctqNGo
zemqvnFykt1Z4gzkZ3R3sSzRvHQG0rqyo7HtAxg7awoEt13YTV8aFoEBwJaIT1z+
ySFiSO449MMn81M3U4atJm6cVzGhtSSyQoiV+PcBXOmJmcZZ6gfm+oFheI6l54nZ
g/vdgftSNLeljwRT1jAlXkHHnzgxKBxTv3N4kvOtcPyuZUU2m6JwOiibhBVN0tCs
uWayKqXrZ+5mzotg+zf+fjNaP64OKu65saEYDhZv+mM5eRGrZMK/lzA8s68awM9e
Kh8DXB2jJJWQW8UhIpOjBhzDDvxLzlHPUk6M3E4E065V3Ht02Xg=
=LLpi
-----END PGP SIGNATURE-----
--=-=-=--
bug-guix@HIDDEN:bug#36335; Package guix.
Full text available.Received: (at 36335) by debbugs.gnu.org; 24 Jun 2019 19:55:05 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Mon Jun 24 15:55:05 2019 Received: from localhost ([127.0.0.1]:58040 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1hfV3R-0006un-Cq for submit <at> debbugs.gnu.org; Mon, 24 Jun 2019 15:55:05 -0400 Received: from eggs.gnu.org ([209.51.188.92]:48080) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <ludo@HIDDEN>) id 1hfV3P-0006uA-HS for 36335 <at> debbugs.gnu.org; Mon, 24 Jun 2019 15:55:03 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:43115) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <ludo@HIDDEN>) id 1hfV3I-0004fJ-9O; Mon, 24 Jun 2019 15:54:57 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=43718 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from <ludo@HIDDEN>) id 1hfV3H-0006JT-Ry; Mon, 24 Jun 2019 15:54:56 -0400 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN> To: Chris Marusich <cmmarusich@HIDDEN> Subject: Re: bug#36335: Is /dev/kvm missing ACLs? References: <87sgs1c4r0.fsf@HIDDEN> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 6 Messidor an 227 de la =?utf-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Mon, 24 Jun 2019 21:54:54 +0200 In-Reply-To: <87sgs1c4r0.fsf@HIDDEN> (Chris Marusich's message of "Sat, 22 Jun 2019 21:20:03 -0700") Message-ID: <87v9wu4v3l.fsf@HIDDEN> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 36335 Cc: 36335 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -3.3 (---) Hi Chris, Chris Marusich <cmmarusich@HIDDEN> skribis: > I was trying to run some VMs via "guix system vm", and I noticed that > I didn't have permission to use KVM. This issue can be worked around by > running qemu as root, or by adding yourself to the "kvm" group. > However, I found it curious that the /dev/kvm device didn't have ACLs > granting me access: > > $ getfacl /dev/kvm > getfacl: Removing leading '/' from absolute path names > # file: dev/kvm > # owner: root > # group: kvm > user::rw- > group::rw- > other::--- > > > Is it expected that on Guix System, /dev/kvm does not by default receive > ACLs granting me access? Guix System doesn=E2=80=99t use ACLs at all. However, the udev rule for kvm sets it up like this: crw-rw---- 1 root kvm 10, 232 Jun 24 08:38 /dev/kvm and the build users are part of the =E2=80=98kvm=E2=80=99 group. I persona= lly arrange to have my user account in that group too. Thanks, Ludo=E2=80=99.
bug-guix@HIDDEN:bug#36335; Package guix.
Full text available.Received: (at submit) by debbugs.gnu.org; 23 Jun 2019 04:20:11 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sun Jun 23 00:20:11 2019 Received: from localhost ([127.0.0.1]:52805 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1hetz8-0007k6-Nm for submit <at> debbugs.gnu.org; Sun, 23 Jun 2019 00:20:10 -0400 Received: from lists.gnu.org ([209.51.188.17]:54992) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <cmmarusich@HIDDEN>) id 1hetz7-0007jy-Hi for submit <at> debbugs.gnu.org; Sun, 23 Jun 2019 00:20:09 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:57666) by lists.gnu.org with esmtp (Exim 4.86_2) (envelope-from <cmmarusich@HIDDEN>) id 1hetz6-0002Ei-LC for bug-guix@HIDDEN; Sun, 23 Jun 2019 00:20:09 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=BAYES_40,FREEMAIL_FROM autolearn=disabled version=3.3.2 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from <cmmarusich@HIDDEN>) id 1hetz5-0004Rn-PY for bug-guix@HIDDEN; Sun, 23 Jun 2019 00:20:08 -0400 Received: from mail-pl1-x62f.google.com ([2607:f8b0:4864:20::62f]:40167) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from <cmmarusich@HIDDEN>) id 1hetz5-0004Qp-Fz for bug-guix@HIDDEN; Sun, 23 Jun 2019 00:20:07 -0400 Received: by mail-pl1-x62f.google.com with SMTP id a93so4993326pla.7 for <bug-guix@HIDDEN>; Sat, 22 Jun 2019 21:20:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:date:message-id:user-agent:mime-version; bh=0eCvwliti82tMx+3/MAlkWk2xhUr0jkbfbtl8uMxmmo=; b=OkfwK5NT7HuZDYeC2RSUIp9O/Bl/4dbXEOcrDQDA3ltSYQLZ0WgmrKoSBdwPjl9d0y 2V5hnPFJ+sY2QYZ0TonljLM4/Q29azRZalLEQuouttly/fvKvam2Ul6DqQp/g6Graq+O Mpxp25Hv5F2ONhpFb4FJTwq41RFgt+dFzzhZ8Nq6ZnlMLLALQuzk4Re2vrU0i6IOOPpT O6d4LRZ+EA5X1qK0PSf0kj0TOEWZEvYWPjSlWqSrum1kfvX7Xi1MHTtTqeh+j/+STPjC 8qtslkABNvloA8lwwfXuyxcPdW6yZtvpN6Xlr+wBVZf6yQL0wqYdINdrpZvgE3xXjdYo Bomw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:user-agent :mime-version; bh=0eCvwliti82tMx+3/MAlkWk2xhUr0jkbfbtl8uMxmmo=; b=RgCUq/0pHrQzKPeyG8pysn7m6d9LuqeqTn4obhXiENXRNqxafPzSI++qMDGS8XMbCe RvdaeWcIxgRZL6rtWj+9OcZpSA6970m3GRvl++riMMJcpGKqwmTl1I5jB3MujDLRe2ED ZNN7R9eGIlMWJMvMY7Dt+IF2JcNqXXQzHFKk1FzhQeIwoOWKKccgMZ6PSmBfbdxJ3LFk 3dCOHr0WhnYlIVNHXEK01h5v8Gl4oc8nMrrhTeQTRUT4EQvaO0X2LjXwx07FqivgAMG6 a4aJdHdVgj0wnMu68V0B/0oSw3wLmqYLy3HIP8KHwDrsP0w2Pfksn9qOdzdiPdUsBEpJ iRSA== X-Gm-Message-State: APjAAAVeB600+evwuKnBHnf7LKmNDwWLwDYY3ZwBVQRaLh6T8ZmZvgZe LaJDwEU/Fp2LtZfhRVKdwrBf6c5X X-Google-Smtp-Source: APXvYqw1mqRGqSIciNfqQHebbHcPWGzmHw33IXPu3yZ+Z2QjBBf+UkXfkRCpV+3ZqcDF3ibPtCijSA== X-Received: by 2002:a17:902:848b:: with SMTP id c11mr117759092plo.217.1561263605823; Sat, 22 Jun 2019 21:20:05 -0700 (PDT) Received: from garuda.local ([2601:601:9d80:25b2::d12]) by smtp.gmail.com with ESMTPSA id d187sm7641106pfa.38.2019.06.22.21.20.04 for <bug-guix@HIDDEN> (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Sat, 22 Jun 2019 21:20:04 -0700 (PDT) From: Chris Marusich <cmmarusich@HIDDEN> To: bug-guix@HIDDEN Subject: Is /dev/kvm missing ACLs? Date: Sat, 22 Jun 2019 21:20:03 -0700 Message-ID: <87sgs1c4r0.fsf@HIDDEN> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2607:f8b0:4864:20::62f X-Spam-Score: -1.3 (-) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -2.3 (--) --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hi, I was trying to run some VMs via "guix system vm", and I noticed that I didn't have permission to use KVM. This issue can be worked around by running qemu as root, or by adding yourself to the "kvm" group. However, I found it curious that the /dev/kvm device didn't have ACLs granting me access: =2D-8<---------------cut here---------------start------------->8--- $ getfacl /dev/kvm getfacl: Removing leading '/' from absolute path names # file: dev/kvm # owner: root # group: kvm user::rw- group::rw- other::--- =2D-8<---------------cut here---------------end--------------->8--- Is it expected that on Guix System, /dev/kvm does not by default receive ACLs granting me access? I'm logged into a GNOME session via GDM, and I was under the impression that logind or udevd would automatically set up ACLs for me to access local devices, such as /dev/kvm and /dev/sr0, in this case. Note that I DO have ACLs for some other devices, such as video0: =2D-8<---------------cut here---------------start------------->8--- $ getfacl /dev/video0 getfacl: Removing leading '/' from absolute path names # file: dev/video0 # owner: root # group: video user::rw- user:marusich:rw- group::rw- mask::rw- other::--- =2D-8<---------------cut here---------------end--------------->8--- =2D-=20 Chris --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEy/WXVcvn5+/vGD+x3UCaFdgiRp0FAl0O/fMACgkQ3UCaFdgi Rp3oTw//c+BeaSCb0JZaRk5Bj80bswCV9Wll9cOLAymneGeZ8RB73JquD/aMtFWN 9sdueKSK9X7HOy/v247PNzBwZ8K8axOFFgCd1jsI9LVgUNT4xdCsZgGDYoEYjbbQ oGWmr4hY/L3i3aVlVl2QLxBTd+af3HnVm1xSYWWAfxBcdprf7gn+a9lJ40jbP4XE CT4n920J9C17aLnPBrx34RHcLFZXsoEt9JLixQopmgV8l3uD1NlCbG9p9cVJeG17 mk1RraAZZaGe0jb433QcZrrdwKkbk7OrQmS1LxqnMau2Q4seLbew1BDwtpB3LAjo jQ9SA24sXTjqtV/2zxpiRfA0dgWNxAzXCVYJLKRiHfyhDg56VUcSN86qdrVMVgm4 sMSO8hYazshjQZ6Lou76OuQNnRDKn/wRK4u24kBqurvlV+CvGlhwsdBLn+JGhArV O6v4omOwESUaTnHXJbjnbqE2wDqHgXxQ9KEsEyNVhMs6w87upLj9cx/npvHv+9Z0 LFOzlS7TedfaKrQ9VglJIVnRIAl19/ImMZl3GXv4nEwISlTpViczQsl3FcSM+1jJ 2JmIrH4f/jEKWiAPnth0XjG/A7qDQdn2MbUOpbsIUzPr1CZAMzA8h5v/SVSoIrJ7 EG4iHbFHfLQZnsGeH4+swKNT4d5X8i0o2Gr+2CCrrDge3I+aw1Y= =I5Ij -----END PGP SIGNATURE----- --=-=-=--
Chris Marusich <cmmarusich@HIDDEN>:bug-guix@HIDDEN.
Full text available.bug-guix@HIDDEN:bug#36335; Package guix.
Full text available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.