Hi TJ, CC'ing the bug again to have a more permanent record of the discussion. I hope it is ok for you?
TJ [2008-09-04 18:20 +0100]: > I've finished a sys file-system patch for kvm and qemu that continues to > support the legacy /proc/ and /dev/ device lists. It is based on a patch > in the Novell bug-tracker but doesn't rip out legacy support. What does that mean? I hope not that kvm/qemu are supposed to directly access USB devices through /sys? (that would be EBW). > The USB devices in /dev/bus/usb/*/* have root:root permissions. ... by default. E. g. scanners and cameras get ACLs assigned to them by hal/consolekit, so that the currently active local user session can access those as well. > Obviously it wouldn't be a great idea to have VMs running as root so I > was looking for an existing group that might be used to modify those > permissions so that kvm/qemu can obtain read/write access to the > devices. Without it USB support fails. > > Matt Zimmerman pointed out 'plugdev' is being deprecated and I didn't > want to use 'kvm' as that is package-specific. In fact we want to completely deprecate the (ab)use of groups for device access: https://wiki.ubuntu.com/DesktopTeam/Specs/Intrepid/DevicePermissions So please don't proliferate groups too much. 'kvm' should ideally disappear as well eventually. The current two recommended possibilities for providing device access are: - Provide a backend running as root (which can access the devices), expose the backend functionality through a D-BUS API (well, could be IP or something else as well, but D-BUS is very convenient), and control access to the backend through PolicyKit. Then device access can be configured with polkit-gnome-authorization (with defaulting to something sane, like "local users only"). That's the way e. g. mounting internal hard drives through hal works. - For pure client-side programs, use the hal ACL management facility: /usr/share/hal/fdi/policy/10osvendor/20-acl-management.fdi /usr/share/PolicyKit/policy/org.freedesktop.hal.device-access.policy The FDI configures which device classes get ACL controlled, and assigns access_control.type. The .policy maps that type to a PolicyKit privilege, and assigns the default rights. Please let me know if either of those options are feasible for you. If you really must use a group for now, then I suppose you coordinate with Soren, to use a more generic group name than 'kvm'. 'plugdev' is not appropriate at all, it is meant for hotpluggable block devices, not virtualization hypervisor access. Martin -- Martin Pitt | http://www.piware.de Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org) -- Could not open /proc/bus/usb/devices https://bugs.launchpad.net/bugs/156085 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
