The default configuration for udev includes permission rules as the following: cdrom*:root:cdrom:0660 dvd:root:cdrom:0660 rdvd:root:cdrom:0660 cdroms/*:root:cdrom:0660 discs/*/*:root:disk:660 these are rarely effective, as they only match symlinks and not the actual device. In fact, I cannot think of an easy way to express the rule: "assign the discs to the 'disk' group and the cdroms to the 'cdrom' group", because udev cannot say whether e.g. 'hdc' is a disk or a cdrom. More precisely, udev can say whether 'hdc' is a disk or a cdrom only looking at the symlinks assigned to them... so here comes the question: would it make sense to match the symlink names, and not only the real name, against the permission rules? I would be interested in gregkh's opinion on that... For those who are interested, I'm going to attach a working patch that does that.
Created attachment 45074 [details, diff] udev-match-symlink-perms.patch
You can specify permissions in udev rules files for just this reason. I suggest you make a modification to the default rules file, not a patch to udev itself. If you do make such a patch, please attach it here and reopen the bug.
Mmm... sorry but I miss the point. Is it possible to write a default permission rule to discriminate cdroms and discs, without changing the default /dev layout, and without hardcoding their position on the ide bus?
Yes it is. Look at the current rules that test for cdroms :)
Created attachment 45228 [details, diff] udev-gentoo-rules.patch Ok, now I got it, thanks. The attached mini-patch makes sure that by default cdroms and floppies are assigned to the associated groups. This is important in case pam_console is switched off by default (see bug 31877).
But you aren't naming the hd devices anymore. Why did you take out the NAME="%k" section?
Because I wanted to keep the rule that creates devfs-style symlinks to cdroms and disks, without making that rule block the rule parsing and prevent the subsequent rule being applied. I left the disc creation to the default rule (assign "%k" name), but it could be added explicitely just below that, maybe something like this: BUS="ide", KERNEL="hd*", NAME="%k", MODE="0660", GROUP="disk"
Forgot to reopen.
Dont the new ide-devfs.sh with the GROUP= support fix this?
Indeed, the new ide-devfs.sh solves the original problem in a very clean way, thanks. My last last request is just to correctly set the group for floppy devices: --- etc/udev/gentoo/udev.permissions.orig 2004-12-14 16:44:01.145414880 +0100 +++ etc/udev/gentoo/udev.permissions 2004-12-14 16:45:08.302205496 +0100 @@ -52,6 +52,7 @@ # floppy devices fd[01]*:root:floppy:0660 +floppy/*:root:floppy:0660 # audio devices dsp*:root:audio:0660 and then this bug can be closed. By the way, you may want to apply this one, too: (internal documentation of ide-devfs.sh) --- extras/ide-devfs.sh.orig 2004-12-14 16:45:30.645808752 +0100 +++ extras/ide-devfs.sh 2004-12-14 16:45:56.201923632 +0100 @@ -2,7 +2,7 @@ # udev external PROGRAM script # return devfs-names for ide-devices -# BUS="ide", KERNEL="hd*", PROGRAM="/etc/udev/ide-devfs.sh %k %b %n", NAME="%k", SYMLINK="%c{1} %c{2}" +# BUS="ide", KERNEL="hd*", PROGRAM="/etc/udev/ide-devfs.sh %k %b %n", NAME="%k", SYMLINK="%c{1} %c{2}", GROUP="%c{3}" HOST="${2%\.[0-9]}" TARGET="${2#[0-9]\.}"
Right. Greg, do you mind ... ?
Will fix in next udev release.
Ok, now it's fixed...