On Thu, 10 Mar 2022 at 06:37:58 +0100, Marc Haber wrote:
> Are we using ACLs [by] Default already in other places of the Debian
> system?
For user-facing purposes I don't think so (although they're available to
anyone who wants to set them), but they're how the udev/logind "uaccess"
mechanism (the reason you don't need to be in the audio group any more)
is implemented.
(Briefly: devices that a physically-present user should be able to access,
like audio, cameras, graphics acceleration and gamepads, are 0660 and owned
by root:audio or similar, and tagged with "uaccess" by udev rules.
When a user logs in or out, logind iterates through all devices attached
to the relevant seat that have the uaccess tag, and does the equivalent of
`setfacl -m user:$uid:rw-` on login or `setfacl -x user:$uid` on logout.
On logout, it also tells the kernel to "revoke" existing file descriptors
for device nodes where this is possible, notably input devices. The
practical effect is that you can access these devices if and only if
you are logged in, but you cannot ssh in and record another user unless
you have extra privileges.)
smcv
