Bug#887852: /dev/kvm is no longer accessible to local users

Tue Jan 23 23:09:01 GMT 2018

Hi!

I did some further digging in git and here's what I found:

In systemd 235, these two rules managed /dev/kvm:

  50-udev-default.rules.in:
    KERNEL=="kvm", GROUP="kvm", MODE="@DEV_KVM_MODE@"
    https://github.com/systemd/systemd/blob/v235/rules/50-udev-default.rules.in#L78

  70-uaccess.rules:
    SUBSYSTEM=="misc", KERNEL=="kvm", TAG+="uaccess"
    https://github.com/systemd/systemd/blob/v235/src/login/70-uaccess.rules#L49

Upstream commit b8fd3d82205f632ce001fade74fed287e1564a1a (part of PR
7112) removed the KVM related bits from the second file, but changed
the default value for @DEV_KVM_MODE@ from 0660 to 0666.

Unfortunately Debian has been removing the KVM related bits from the
first file for some time now, see

  https://anonscm.debian.org/cgit/pkg-systemd/systemd.git/tree/debian/patches/debian/Avoid-requiring-a-kvm-system-group.patch

The result is, that in Debian, there is now no systemd-owned udev rule
managing /dev/kvm. This causes the regression that logind does no
longer grant access to /dev/kvm to local users.

Personally, I think that Debian should remove the patch mentioned
above, make kvm a static system group, and remove the udev rule from
QEMU since there *are* other users of /dev/kvm (e.g. kvmtool, which
doesn't ship a udev rule). Then, choose a value for the 'dev-kvm-mode'
meson build option of systemd. I like the upstream default, but there
is Debian bug #640328. But then again, this was in 2011.

So, ultimately this is a maintainer decision, I just wanted to warn you
that people might trip over this on stretch -> buster upgrades!

Best regards

Alexander Kurtz
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20180124/bc62cfb7/attachment-0002.sig>