creating dynamic access control lists for a device: systemd and udev

Ian Malone ibmalone at
Sun Mar 25 12:22:09 UTC 2012

On 24 March 2012 19:01, Ian Malone <ibmalone at> wrote:
> Hi,
> I put in a RFE for
> a udev rule for the Fender Mustang amplifier and got a very quick
> response from Kay Sievers (some needs to tell RedHat about weekends).
> Obviously things have moved on since I last looked at permissions and
> their use with devices. Anyway his answer was this:
> ---
> Systemd/udev offers to assign dynamic access control lists to device
> nodes, which are only added when the user's login is active/in the
> foreground. For that to work, a name ID_<some name> for the device
> class needs to be found, this property needs to be set by the rules,
> then added to the systemd file, and logged-in users with active
> session will get access the the device.
> The rules file can be a single line like:
>  SUBSYSTEM=="usb", ENV{DEVTYPE}=="usb_device", \
>    ATTRS{idVendor}=="1ed8", ATTRS{idProduct}=="000[456]" \
>    ENV{ID_<some_name>}="1"
> ---
> The matching shown is for the device, what I don't know is how to
> choose the ID_<some_name> to set; whether there are existing ones that
> might be appropriate or whether I need to create a unit in systemd and
> a new ID_ for it. The software that needs this is currently packaged
> by someone as RPM for SUSE and Fedora, but I'd hope it could
> eventually be moved into Fedora and getting these rules right would be
> a step towards that.

Or indeed, if anyone can show me where this is documented. All I've
managed to find with google are git commits and irrelevant mailing
list fragments. systemd-logind isn't documented,
/lib/udev/rules.d/70-uaccess.rules appears to deal with this, but what
I've seen so far appears to say that udev handling of this is being
deprecated for systemd, also there are no suitable ID_ in there, which
brings me back to the question of choosing suitable names. Is there a
list of reserved names or naming rules? If you were creating
site-specific rules presumably they could go in /etc/... To have the
package for the software add its own rules would Fedora accept a new
ID_ into wherever ID_ needs to go? (70-uaccess.rules?). I assume that
setting TAG+="uaccess" directly (assuming that's what's needed, is it?
how should I know?) in a device rule would be frowned on.


More information about the devel mailing list