Bug#1112660: Regression: udev TAG+="uaccess" ACLs not applied to /dev/hidraw* at boot (systemd 258~rc3-1)

Martin Scheiblhofer martin.scheiblhofer at gmx.at
Sun Aug 31 17:21:36 BST 2025 

Package: systemd
Version: 258~rc3-1 (new system) vs 257.7-1 (old system)
Severity: important
Tags: regression

Dear maintainers,

After upgrading from systemd 257.7-1 to systemd 258~rc3-1 on Debian
testing, udev's TAG+="uaccess" ACLs are no longer applied to
/dev/hidraw* during boot/coldplug on my machine. As a result, the
Solaar GUI (running as the desktop user) does not see the Logitech
receivers at login. The ACLs are applied only after either:

  * unplugging and replugging the receiver, or
  * running `sudo udevadm trigger /dev/hidraw*` and restarting Solaar.

Reproduction steps (short):
1. Boot into the new system with systemd 258~rc3-1.
2. Let Solaar start automatically as the desktop user. It reports no
devices. `ls -l /dev/hidraw*` shows `crw------- root root`.
3. Run `sudo udevadm trigger /dev/hidraw*` and restart Solaar — devices
appear immediately; `ls -l /dev/hidraw*` shows `crw-rw----+` (ACLs
present).
4. On the old system (systemd 257.7-1) the ACLs are present immediately
after boot and Solaar works without workaround.

Environment:
- Debian testing (Forky)
- Desktop: MATE
- Solaar: 1.1.14-4
- Old systemd: 257.7-1, udev 257.7-1, kernel: 6.12.41+deb13-amd64
- New systemd: 258~rc3-1, udev 258~rc3-1, kernel: 6.16.3+deb14-amd64
- Hardware: two Logitech receivers (046d:*), hidraw device in question
is `/dev/hidraw4`.

Observations:
- `70-uaccess.rules` and `73-seat-late.rules` are present.
- `udevadm test` shows the Solaar udev rule and
`RUN{builtin}+="uaccess"` being invoked for the relevant hidraw.
- Nevertheless, at coldplug/boot the ACLs are not attached to the
device. After replug or manual trigger the ACLs appear.
- Installing `systemd-userdbd` on the new system creates
`/run/systemd/userdb/io.systemd.Multiplexer`, but ACLs still are not
applied during the early coldplug boot path — they only appear after a
later event or manual trigger. The old system worked even without that
socket, which indicates a change of codepath or timing in 258.

Attached:
- 01_old_uaccess-collect-c1-20250831-145039.tar.gz (dump collected on
old system)
- 02_new_uaccess-collect-c1-20250831-145629.tar.gz (dump collected on
new system)

Attachments include: package versions, `systemctl --version`, `uname -
a`, `udevadm test` output, udev rules, `ls -l /dev/hidraw*` and
`getfacl` snapshots before and after `udevadm trigger`, and journal
excerpts filtered for udev/logind/userdb/uaccess.

Please let me know if you need additional logs (full boot journal,
`udevadm monitor` during boot, or other traces); I can reproduce and
provide them (I keep both old and new systems available as snapshots).

Thank you,
Martin Scheiblhofer
martin.scheiblhofer at gmx.at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 01_old_uaccess-collect-c1-20250831-145039.tar.gz
Type: application/x-compressed-tar
Size: 20231 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20250831/4ac4b672/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 02_new_uaccess-collect-c1-20250831-145629.tar.gz
Type: application/x-compressed-tar
Size: 29100 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20250831/4ac4b672/attachment-0003.bin>

More information about the Pkg-systemd-maintainers mailing list