Ubuntu
kvm package

Non-root guest doesn't have permission to access sys-fs USB devices

Bug #331331 reported by TJ
18
This bug affects 2 people
Affects Status Importance Assigned to Milestone
QEMU
Won't Fix
Undecided
Unassigned
kvm (Ubuntu)
Won't Fix
Wishlist
Unassigned
qemu (Ubuntu)
Won't Fix
Wishlist
Unassigned

Bug Description

Binary package hint: kvm

Since kvm-83 in Jaunty, KVM/QEMU has supported /sys/ file-system access to USB devices.

There is, however, an issue with insufficient permissions for a non-root KVM/QEMU guest to access host USB devices.

There was discussion of this issue as part of bug #156085 "Could not open /proc/bus/usb/devices" but no resolution.

In the PPA packages I built of kvm-74 which included my sys-fs patches I also included a revised man-page that explained how to enable permissions.

       If the guest is running as non-root the permissions to /dev/bus/usb/*/* will need altering
       to allow the VM read/write access to the USB devices.

       Create a new group "vm" and add users that require USB access for VMs to it:

       sudo addgroup vm
       sudo addgroup $USER vm

       Log-out/log-in to effect the new group membership.

       Add a udev rule to assign USB devices to the vm group:

       # Virtual Machine hypervisor access to USB devices
       SUBSYSTEM=="usb", ENV{DEVTYPE}=="usb_device", GROUP="vm"
       SUBSYSTEM=="usb_device", GROUP="vm"

       Save the file as /etc/udev/rules.d/41-vm-usb.rules and reload udevd:

       sudo /etc/init.d/udev restart

       The guest virtual machines should now be able to access the USB devices without root priv‐
       ileges.

There was quite a bit of discussion between myself, Matt Zimmerman and Martin Pitt from 2008-09-05 onwards about this but no decision made on how to proceed.

This bug is intended to focus the attention on the permissions issue.

Dustin Kirkland  (kirkland)
Changed in kvm:
importance: Undecided → Wishlist
Revision history for this message
Andy Ross (andy-plausible) wrote :

Note that other user-level applications require write access to the raw USB devices. One example is "fxload", which is a firmware loader for Cypress FX2 EZ-USB interface chips. These are very common on FPGA development boards.

I worked around this as above, by assigning the plugdev group to the files via udev, but clearly a better solution is needed as the original kvm bug points out that the "groups-as-permission-domains" model is going away (a dumb idea IMHO -- replacing one access control model that's worked well for decades with a dozen mutually-incompatible domain-specific ones seems awfully overcomplicated to me...).

Revision history for this message
Dustin Kirkland  (kirkland) wrote :

I'm going to mark this confirmed, since you've discussed this with mdz and pitti. I don't know how to recommend to proceed either, for now.

:-Dustin

Changed in kvm (Ubuntu):
status: New → Confirmed
Dustin Kirkland  (kirkland)
Changed in qemu (Ubuntu):
importance: Undecided → Wishlist
status: New → Confirmed
Revision history for this message
Anthony Liguori (anthony-codemonkey) wrote :

It's unsafe to access hardware directly as a unprivileged user in general. An administrator has to decide on a case-by-case basis to allow this.

Changed in qemu:
status: New → Won't Fix
Revision history for this message
Dustin Kirkland  (kirkland) wrote :

Discussed this with upstream and this isn't something that we can or really solve as a downstream. Sorry.

:-Dustin

Changed in kvm (Ubuntu):
status: Confirmed → Won't Fix
Changed in qemu (Ubuntu):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.