Package: udev, libacl1 Version: 208-8 Severity: important This is a generic problem, but I'll use just one example of its action, on /dev/kvm device node.
In short, on any kvm (svm|vmx) capable x86 system these days, kvm module gets loaded and /dev/kvm device node is created. But without udev rules file from qemu-kvm which assigns group permissions to this node, and with presence of systemd, this device node receives wrong ACL, like this: # ls -l /dev/kvm; getfacl /dev/kvm crw-rw----+ 1 root root 10, 232 сен 21 18:45 /dev/kvm # file: dev/kvm # owner: root # group: root user::rw- user:Debian-gdm:rw- group::--- mask::rw- other::--- Note that even if the regular unix permissions have "rw" for group, there's one more ACL present for the file, "group::---", which effectively turns off regular unix group permissions. /dev/kvm is listed in 70-uaccess.rules: SUBSYSTEM=="misc", KERNEL=="kvm", TAG+="uaccess" but this is one of very few devices which comes without group rw permissions from the kernel initially. The problematic place is the systemd sources, src/login/logind-acl.c, devnode_acl() function. I added some debug printfs to this function, after each section of this function printing acl and stat(2) info from the file, and got this for /dev/kvm: initial: user::rw-,group::---,other::--- (mode=020600 uid=0 gid=0) after flush: user::rw-,group::---,other::--- (mode=020600) after add: user::rw-,user:Debian-gdm:rw-,group::---,other::--- (mode=020600) after mask: user::rw-,user:Debian-gdm:rw-,group::---,mask::rw-,other::--- (mode=020600) after final set: user::rw-,user:Debian-gdm:rw-,group::---,mask::rw-,other::--- (mode=020660) Note that after the final acl_set_file(), regular unix perms are changed too (which probably should not), but the stray empty group ACL entry is kept. Now the more I think about this, the more this looks like libacl bug... Hopefully not kernel :) Thanks, /mjt -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org