Coelacanthus 😶‍🌫️ 🏳️‍⚧️
Recently, when I dealt with some package issues around probe-rs, I found that some developers and packagers may have some misunderstandings about #systemd #udev giving some users access permission. systemd udev rules have two kinds of permission mechanisms: one is like chown, which can set the device file's owner to some user or group (normally #plugdev system group); another is #uaccess, systemd will give the active user session permission via ACL.
Oct 11 at 5:02pmWeb
Show threadCoelacanthus 😶‍🌫️ 🏳️‍⚧️Oct 11

Many developers or packagers may write a rule like below:

ATTRS{idVendor}=="0483", ATTRS{idProduct}=="3744", MODE="660", GROUP="plugdev", TAG+="uaccess"

It looks like it tries to chmod 600 and chown :plugdev, and then add access permission for the active user session via uaccess's ACL at the same time, right? NO!!!

Show threadCoelacanthus 😶‍🌫️ 🏳️‍⚧️Oct 11
In systemd behavior, if the group mentioned in the GROUP rule doesn't exist (or is not a system group since systemd v258), it will ignore the whole line rule. Since plugdev is not a system group in most #Linux distributions, any chown or uaccess operations will not work.
Show threadCoelacanthus 😶‍🌫️ 🏳️‍⚧️Oct 11
Actually, plugdev is a deprecated mechanism; it's not concrete, safe, and flexible, and was superseded by uaccess around 2012.
- It's not concrete. All users in plugdev groups can use all devices in the group, regardless of their type
- It's not safe because of the previous one. Imagine an SSH-logined user can access your camera or microphone.
- It's not flexible. The user list needs to be maintained manually. And if updated, the user needs to re-login to take effect.
Show threadCoelacanthus 😶‍🌫️ 🏳️‍⚧️Oct 11
So I suggest:
- Distributions refresh all udev rules in our packages, use the uaccess mechanism, and remove all GROUP="plugdev" usage.
- Distributions update their Packaging Guidelines, tell the packagers that when they package some software that includes udev rules, they should use the uaccess mechanism, and remove all GROUP="plugdev" usage.
- Developers update their udev rules, use the uaccess mechanism, and remove all GROUP="plugdev" usage.
Show threadCoelacanthus 😶‍🌫️ 🏳️‍⚧️Oct 11
For more information, see my report on Arch Linux: https://gitlab.archlinux.org/archlinux/packaging/packages/probe-rs/-/issues/4
Udev rule won't working in Arch Linux because of deprecated `GROUP="plugdev"` (#4) · Issues · Arch Linux / Packaging / Packages / probe-rs · GitLab

Description: In our udev rule, currently, the rule is like this:

GitLab