FS#19703 - [udev] Take a decision about udev-acl related rules.

Attached to Project: Arch Linux
Opened by Gerardo Exequiel Pozzi (djgera) - Friday, 04 June 2010, 02:01 GMT
Last edited by Roman Kyrylych (Romashka) - Thursday, 19 August 2010, 12:03 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Tobias Powalowski (tpowa)
Jan de Groot (JGC)
Thomas Bächler (brain0)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

With the new udev-157-1 package, is not possible (not recommended) using udev-acl ruled defined at 70-acl.rules from outside that file, like are doing now in some packages (using method ENV{ACL_MANAGE}="1").

Now consolekit method does not work with udev-157-1 package.

So there are at least two options:
(simple) Define a rule in 81-arch.rules with ENV{ACL_MANAGE}, and avoid change all others packages.
(complex) Change each "package.rules" as needed.


--- From 70-acl.rules ---
# Do not use TAG+="udev-acl" outside of this file. This variable is private to
# udev-acl of this udev release and may be replaced at any time.
...
# apply ACL for all locally logged in users
LABEL="acl_apply", TAG=="udev-acl", TEST=="/var/run/ConsoleKit/database", \
RUN+="udev-acl --action=$env{ACTION} --device=$env{DEVNAME}"
--- From 70-acl.rules ---
This task depends upon

Closed by  Roman Kyrylych (Romashka)
Thursday, 19 August 2010, 12:03 GMT
Reason for closing:  Fixed
Additional comments about closing:  Closed per author's request:
Most devices are now managed via acl way, no general action is needed. If specific package needs attention I will open a separate bug/feature report.
Comment by Thomas Bächler (brain0) - Friday, 04 June 2010, 07:45 GMT
How is this supposed to work now? I never looked into the ACL stuff at all.
Comment by Gerardo Exequiel Pozzi (djgera) - Friday, 04 June 2010, 18:24 GMT
There is no need to assing groups (audio, optical, etc) for users logged in via console (uncommenting pam_ck_connector.so) or kdm, gdm, etc.
All is done via consolekit-daemon -> dbus-daemon -> udevd -> udev-acl

So if you have a user "epsilon" logged on TTY1 and user "delta" on TTY2. When TTY1 is "at front" all devices defined at 70-acl.rules (and other files) will have a ACL for user "epsilon", and if you switch to TTY2 ACL perms for these devices will change to user "delta".

For example I currently on TTY7 (X): acls for /dev/dsp looks:
$ getfacl /dev/dsp
...
user::rw-
user:djgera:rw-
group::rw-
mask::rw-
other::---

$ ls -l /dev/ | grep +
...
crw-rw----+ 1 root audio 14, 3 Jun 4 14:56 dsp
...
brw-rw----+ 1 root optical 11, 0 Jun 4 14:56 sr0
brw-rw----+ 1 root optical 11, 1 Jun 4 14:56 sr1
...
crw-rw----+ 1 root uucp 4, 64 Jun 4 14:56 ttyS0

$ id
uid=1000(djgera) gid=101(djgera) groups=101(djgera)
Comment by Thomas Bächler (brain0) - Friday, 04 June 2010, 18:43 GMT
I knew that, I just meant I never looked at the implementation.
Comment by Gerardo Exequiel Pozzi (djgera) - Saturday, 05 June 2010, 17:21 GMT
Odd, seems that allways need to mark devices with TAG+="udev-acl" instead of having a private call to udev-acl, otherwise does not work propertly (acls does not change when switch users). But having a TAG+="udev-acl" is and absurd based on what says 70-acl.rules file.

Looking at udev-acl.c source [#1], looks like search for devices marked with this tag.

PS: I sent a mail question this to udev author.

[#1] http://git.kernel.org/?p=linux/hotplug/udev.git;a=blob;f=extras/udev-acl/udev-acl.c;h=ff04ec6bed8543d38c352b1c48e3a276b0802f07;hb=HEAD#l292
Comment by Gerardo Exequiel Pozzi (djgera) - Saturday, 05 June 2010, 19:24 GMT
From: Kay Sievers <kay.sievers@vrfy.org>
Date: Sat, 5 Jun 2010 21:08:35 +0200
Subject: Re: Question about udev-acl and TAG
To: Gerardo Exequiel Pozzi <vmlinuz386@yahoo.com.ar>

On Sat, Jun 5, 2010 at 20:36, Gerardo Exequiel Pozzi
<vmlinuz386@yahoo.com.ar> wrote:
> On 06/05/2010 02:40 PM, Kay Sievers wrote:
>
> On Sat, Jun 5, 2010 at 19:27, Gerardo Exequiel Pozzi
> <vmlinuz386@yahoo.com.ar> wrote:
>
>
>> I have a simple question about TAG with udev-acl:
>>
>> How is suposse to add more devices to be managed with acls, since I can
>> not
>> use TAG+="udev-acl" outside the private file 70-acl.rules?
>> Seems that udev-acl.c always look for devices marked as "udev-acl", so
>> using
>> another "TAG" or old enviroment variable like previous method does not
>> work
>> property.
>
>
> You are usually supposed to classify these devices with some variable,
> and add that class to the acl file.
>
> The thing is that the TAG name, or the former environment name are
> private to udev and may change, if things need to be adjusted to a
> better model. That just happened recently, like with the switch from
> the simple variable to the tag. For your own system, or as a temporary
> workaround, it will be fine to use TAG directly, but that may stop
> working in future releases of udev.
>
> Kay
>
>
>
> OK. I understand.
>
> And what about for distro packagers? I guess, following upstream udev
> changes (if something is changed in a future) and mark extra devices with a
> TAG for now as workaround, right?

No. Distros must go the "classification" route. They will probably not
be able to keep up with changes. Upcoming ConsoleKit work might need
future changes again.

Kay

Loading...