Bug#762339: uaccess creates stray empty group ACL overriting regular group permissions

Sun, 21 Sep 2014 03:57:44 -0700 

Package: udev, libacl1
Version: 208-8
Severity: important

This is a generic problem, but I'll use just one example of
its action, on /dev/kvm device node.

In short, on any kvm (svm|vmx) capable x86 system these days,
kvm module gets loaded and /dev/kvm device node is created.
But without udev rules file from qemu-kvm which assigns
group permissions to this node, and with presence of systemd,
this device node receives wrong ACL, like this:

 # ls -l /dev/kvm; getfacl /dev/kvm 
 crw-rw----+ 1 root root 10, 232 сен 21 18:45 /dev/kvm
 # file: dev/kvm
 # owner: root
 # group: root
 user::rw-
 user:Debian-gdm:rw-
 group::---
 mask::rw-
 other::---

Note that even if the regular unix permissions have "rw" for
group, there's one more ACL present for the file, "group::---",
which effectively turns off regular unix group permissions.

/dev/kvm is listed in 70-uaccess.rules:

 SUBSYSTEM=="misc", KERNEL=="kvm", TAG+="uaccess"

but this is one of very few devices which comes without group
rw permissions from the kernel initially.

The problematic place is the systemd sources, src/login/logind-acl.c,
devnode_acl() function.  I added some debug printfs to this function,
after each section of this function printing acl and stat(2) info
from the file, and got this for /dev/kvm:

 initial: user::rw-,group::---,other::--- (mode=020600 uid=0 gid=0)

 after flush: user::rw-,group::---,other::--- (mode=020600)
 after add: user::rw-,user:Debian-gdm:rw-,group::---,other::--- (mode=020600)
 after mask: user::rw-,user:Debian-gdm:rw-,group::---,mask::rw-,other::--- 
(mode=020600)
 after final set: user::rw-,user:Debian-gdm:rw-,group::---,mask::rw-,other::--- 
(mode=020660)

Note that after the final acl_set_file(), regular unix
perms are changed too (which probably should not), but
the stray empty group ACL entry is kept.

Now the more I think about this, the more this looks
like libacl bug...  Hopefully not kernel :)

Thanks,

/mjt


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to