On Fri, Sep 05, 2008 at 03:59:06PM -0000, TJ wrote: > On Fri, 2008-09-05 at 07:41 +0000, Martin Pitt wrote: > > Perhaps the raw device node permissions should be set to be the same as the > > cooked ones? This would at least avoid tweaking for devices recognized by > > the kernel. > > Which cooked ones are you thinking about, Matt? From what I can see the > cooked group/permissions are mostly target-specific (e.g. block, video, > serial) whereas what the hypervisor needs is one group to cover all > device classes.
I was thinking of, for example, USB serial devices (which end up with 'dialout' I believe) and USB storage devices (disk). Then the existing groups could be used, and would correspond to roughly the same privileges. > > Alternatively, we could punt and say that USB pass-through requires root > > privileges or manual tweaking of the device node permissions. I'm not sure > > to what extent this feature is used in typical KVM usage; I would think it's > > mostly useful for reverse engineering and such. > > My experience, from watching the number of frustrated users posting in > forums on and off Ubuntu, is that there is a growing number of > non-technical users expecting that a VM guest 'will just work' with > their devices (mice, cameras, tablets, scanners (especially), printers, > etc.), and using the deprecated work-around > in /etc/init.d/mountdevsubfs.sh and commenting out the 'magic' around > line 40. > > This is true particularly when the guest is a Windows variant and their > purpose in using the Windows guest is to use the drivers to access a > device (esp. cameras, scanners and printers) that they find problematic > or unsupported in Linux. > > This class of non-technical user: > > * expect access to their USB devices in the VM guest the same as if it > were running on the the physical machine > * should not be using root access I understand, but I'm struggling with how we can grant raw hardware-level access to these devices (as needed by VMs) without compromising security on the host. USB is used for a wide range of peripherals, some of which should not be entrusted to unprivileged users. > If the raw device nodes in /dev/bus/usb/*/* are so unique in terms of > permissions then maybe this special-case is justifiable as a user-chosen > option (recommended but not a default package install) since it is > addressing a different scenario than the deprecated "plugdev" group? I'd like to find a way to make this work in the "new world order" first, if possible. I expect now that we've given him plenty of detail on the use cases, Martin will have a good suggestion. -- - mdz -- Could not open /proc/bus/usb/devices https://bugs.launchpad.net/bugs/156085 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
