Cannot start domain using user session

Michael Biebl biebl at debian.org
Mon Jul 9 12:06:58 BST 2018 

Am 09.07.2018 um 08:32 schrieb Guido Günther:
> Hi Michael,
> On Mon, Jul 09, 2018 at 01:30:16AM +0200, Michael Biebl wrote:
>> Related to that is
>> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=887852
>>
>> systemd upstream removed the uaccess bits, as they install /dev/kvm with
>> 0666 permissions by default, claiming this would be safe nowadays.
>>
>> See
>> https://github.com/systemd/systemd/pull/5597
>> https://github.com/systemd/systemd/commit/b8fd3d82205f632ce001fade74fed287e1564a1a
>>
>> I think long term it would be best if the udev package setups up the
>> correct permissions for /dev/kvm, the question is whether we follow the
>> upstream default and make /dev/kvm 0666 or we chose 0640 (root:kvm) and
>> revert the bits from b8fd3d82205f632ce001fade74fed287e1564a1a to re-add
>> the uaccess tag.
> 
> Yes, I'd be good to have correct permissions out of the box. Lots of
> people don't know they need the kvm group for the user session - so 0640
> wouldn't help the cause.
> However given the hardening that is currently going on in the kernel to
> restrict user access to e.g. dmesg it'd actually be nicer to not
> have 0666. But if uaccess goes away it looks like the only way (if we'd
> don't want to maintain the uaccess code).

The uaccess mechanism is not going away. What has been dropped is the
udev rule which applies the uaccess tag to the /dev/kvm device.
We'd have to add a patch to add this udev rule back if we decide 0666 is
not a good default in Debian.

I've also CCed Ben as I'm interested in his opinion as kernel maintainer.
Ben, from the kernel POV, do you consider the kvm functionality mature
enough that we make it accessible to everyone (0666 root:root)
or should we make it accessible only to users of group kvm, which needs
explicit configuration (0660 root:kvm) and local, active users (tagging
the device with uaccess and letting logind set an ACL).

Regards,
Michael


-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20180709/1a817e9c/attachment-0002.sig>

More information about the Pkg-systemd-maintainers mailing list