[systemd-devel] How to give users permissions to /dev/kfd

Simon McVittie smcv at collabora.com
Mon Oct 16 11:32:59 UTC 2017


On Sat, 14 Oct 2017 at 17:50:33 +0300, Mantas Mikulėnas wrote:
> No, it's only available for local sessions (ones which systemd-logind considers
> "local" + "active"). I think the idea is that console users automatically get
> more privileges in general.

Specifically, the idea is that console users should have access to
devices that are the machine representation of things they can physically
access anyway. The classic example is audio. If Alice is sitting at a
desktop/laptop computer and Bob is ssh'd in to the same computer, it's
fine for Alice to be able to record the same audio that she can hear
already; but it is usually not OK for Bob to be able to record audio
because that would let him spy on Alice.

Similarly, logind defaults to allowing local active users to shut down
the machine (because they are likely to be in a position to pull the
plug or remove the battery anyway), but not remote users (to prevent
them from causing denial-of-service for local users or other remote users).

> For SSH-only usage, use traditional groups (e.g. add yourself to the "video"
> group). To assign group ownership to /dev/kfd, use GROUP="foo" in udev rules.

And, yes, the way to bypass the "only local users" bit is to add your uid
to an appropriate group, which is a way of saying: this user has special
privileges, and can access something (in your case video) even when not
physically present.

    smcv


More information about the systemd-devel mailing list