ConsoleKit is supposed to be able to make my membership in the "cdrom" group redundant and unneeded. But it fails to apply ACLs to /dev/sg*, and wine uses these devices. Reproducible: Always Steps to Reproduce: 1. Install consolekit and wine. 2. Check that consolekit works, i.e., applies ACLs to CD-ROM devices like /dev/sr0 when you log in. 3. Remove yourself from the cdrom group, because this membership is supposed to be no longer needed with ConsoleKit. Logout and login again. 4. Install EAC (http://www.exactaudiocopy.de/) in wine, try to use it. Actual Results: EAC doesn't see the CD-ROM. This happens because wine uses the obsolete /dev/sg* method (not SG_IO on /dev/cdrom) to access CD-ROM when the program uses ASPI, and ConsoleKit doesn't set ACLs on /dev/sg*. Expected Results: EAC should be able to access CD-ROM as the logged-in user, even without membership in the "cdrom" group. I will be happy with any of the two resolutions: 1) Wine and all other software that uses /dev/sg* for CD-ROM access gets patched to use SG_IO instead, the "cdrom" group gets removed from udev rules about these devices. 2) ACLs are set by udev and ConsoleKit on /dev/sg* devices that correspond to CD-ROMs. I use the multilib overlay. Portage 2.2_rc67-r7 (default/linux/amd64/10.0/desktop, gcc-4.4.3, glibc-2.11.1-r0, 2.6.34-gentoo x86_64) ================================================================= System uname: Linux-2.6.34-gentoo-x86_64-Intel-R-_Core-TM-2_CPU_6420_@_2.13GHz-with-gentoo-2.0.1 Timestamp of tree: Sat, 22 May 2010 03:15:01 +0000 app-shells/bash: 4.1_p7 dev-java/java-config: 2.1.11 dev-lang/python: 2.6.5-r2, 3.1.2-r3 dev-util/cmake: 2.8.1-r1 sys-apps/baselayout: 2.0.1 sys-apps/openrc: 0.6.1-r1 sys-apps/sandbox: 2.2 sys-devel/autoconf: 2.13, 2.65 sys-devel/automake: 1.8.5-r4, 1.9.6-r3, 1.10.3, 1.11.1 sys-devel/binutils: 2.20.1-r1 sys-devel/gcc: 4.4.3-r2 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.6b virtual/os-headers: 2.6.33 ACCEPT_KEYWORDS="amd64 ~amd64" ACCEPT_LICENSE="* -@EULA" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -march=core2 -fomit-frame-pointer -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/X11/xkb /var/bind /var/lib/hsqldb" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/eselect/postgresql /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c" CXXFLAGS="-O2 -march=core2 -fomit-frame-pointer -pipe" DISTDIR="/home/distfiles" FEATURES="assume-digests buildpkg distlocks fixpackages news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unmerge-logs unmerge-orphans userfetch" GENTOO_MIRRORS="http://mirror.yandex.ru/gentoo-distfiles http://distfiles.gentoo.org http://www.ibiblio.org/pub/Linux/distributions/gentoo" LANG="ru_RU.UTF-8" LDFLAGS="-Wl,--as-needed" MAKEOPTS="-j3" PKGDIR="/home/packages/amd64" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/home/build" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage /var/lib/layman/multilib /var/lib/layman/java-overlay /var/lib/layman/lxde /usr/local/portage" SYNC="rsync://mirror.yandex.ru/gentoo-portage" USE="X a52 aac acl acpi alsa amd64 amr applet archive artworkextra automount bash-completion berkdb bidi bluetooth bzip2 cairo caps cdda cddb cdr cjk cli consolekit cracklib crypt css cups cxx dbus dirac djvu dri dts dvb dvd dvdr emboss encode exif faac faad fastcgi ffmpeg firefox flac fontconfig fortran fuse gcj gdbm gif gimp glibc-omitfp gnuplot gphoto2 gsm gtk iconv icq idn ieee1394 ipod ipv6 jabber jack jbig jingle jpeg jpeg2k ladspa lame lash latex lcms ldap libsamplerate mad mikmod mmx mmxext mng modules mozilla mp3 mp4 mpeg mplayer mudflap multilib musepack ncurses nls nocd nptl nptlonly nsplugin ogg opengl openmp pam pango pch pcre pdf perl png policykit ppds pppd python qt3support raw rdesktop readline reflection samba scanner schroedinger sdl session shorten smp speex spell spl sse sse2 sse3 ssl ssse3 startup-notification svg symlink sysfs tcl tcpd theora threads tiff tk truetype unicode usb v4l2 videos vim-syntax vnc vorbis wifi winbind wmf x264 xattr xcb xcomposite xinerama xml xmp xorg xulrunner xv xvid zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CAMERAS="ptp2" DVB_CARDS="tda10046lifeview" ELIBC="glibc" INPUT_DEVICES="evdev synaptics keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIRC_DEVICES="devinput audio_alsa inputlirc" RUBY_TARGETS="ruby18" SANE_BACKENDS="gt68xx" USERLAND="GNU" VIDEO_CARDS="intel" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LC_ALL, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
moving to wine maintainers: "This happens because wine uses the obsolete /dev/sg* method" ...
original reporter: please try with wine 1.3.x series from ~arch. note that 1.1.x series is no longer in portage.
The bug is still there, in both its parts. 1) Discrepancy of permissions of /dev/sr0 and (obsolete) /dev/sg1. Both have the "cdrom" group, but only /dev/sr0 has ACLs. 2) Wine still uses /dev/sg1 when an application inside it uses ASPI to send raw commands to the CD-ROM.
i dont think you mean ACLs, but rather simple ownership/permission of the devices. i also dont think these devices nodes are "obsolete" in any way. /dev/sg* cannot all be granted directly to the cdrom group because sg (scsi generic) device nodes are created for all scsi devices. /dev/sr* however are scsi recorders which means a cdrom group assumption is pretty safe. the udev guys would have to comment as to the feasibility of granting cdrom ownership to /dev/sg* devices which correspond only to scsi recording devices. as for getting wine changed, we dont do development on wine here. feature enhancements should go to http://bugs.winehq.org/ the latest code base looks only for devices that start with "sg" in /dev: dlls/wnaspi32/aspi.c:SCSI_Linux_CheckDevices() ... devdir = opendir("/dev"); for (dent=readdir(devdir);dent;dent=readdir(devdir)) { if (!(strncmp(dent->d_name, "sg", 2))) break; } closedir(devdir); ...
I do mean ACLs. The traditional unix-style permissions are already applied automatically to /dev/sg* nodes corresponding to cdroms. See here: aep@home ~ $ ls -l /dev/sr* /dev/sg* crw-rw---- 1 root disk 21, 0 Дек 20 10:24 /dev/sg0 crw-rw---- 1 root cdrom 21, 1 Дек 20 10:24 /dev/sg1 crw-rw---- 1 root disk 21, 2 Дек 20 10:24 /dev/sg2 crw-rw---- 1 root disk 21, 3 Дек 20 10:24 /dev/sg3 crw-rw---- 1 root disk 21, 4 Дек 20 10:24 /dev/sg4 crw-rw---- 1 root disk 21, 5 Дек 20 10:24 /dev/sg5 brw-rw----+ 1 root cdrom 11, 0 Дек 20 10:24 /dev/sr0 aep@home ~ $ getfacl /dev/sr0 /dev/sg1 getfacl: Removing leading '/' from absolute path names # file: dev/sr0 # owner: root # group: cdrom user::rw- user:aep:rw- group::rw- mask::rw- other::--- # file: dev/sg1 # owner: root # group: cdrom user::rw- group::rw- other::--- The ACL part of this bug is actually about the interaction with ConsoleKit. See the plus near /dev/sr0 above? It means that there are ACLs not representable with UNIX permissions. They are dumped with getfacl below. Note that there is no such ACL near /dev/sg1, although the "cdrom" group is applied to /dev/sg1. Consolekit is the program that automatically creates such ACLs for logged-in users. It is supposed to make the cdrom group unneeded.
I fixed this bug myself, by adding this line to /lib/udev/rules.d/70-acl.rules: SUBSYSTEM=="scsi_generic", ENV{ID_CDROM}=="1", TAG+="udev-acl" I know that it will be overwritten on udev upgrade if you don't take it into the package :)
Oops, I pasted the wrong rule. Here is the correct one: SUBSYSTEM=="scsi_generic", SUBSYSTEMS=="scsi", ATTRS{type}=="4|5", TAG+="udev-acl"
The ACLs on /dev/sg* are correct now, so the permissions-related part of this bug no longer exists. Wine still uses the obsolete /dev/sg* devices, though - it is an upstream bug.
50-udev-default.rules from udev-210: SUBSYSTEM=="block", KERNEL=="sr[0-9]*", GROUP="cdrom" SUBSYSTEM=="scsi_generic", SUBSYSTEMS=="scsi", ATTRS{type}=="4|5", GROUP="cdrom" 70-udev-acl.rules from consolekit-0.4.6: SUBSYSTEM=="scsi_generic", SUBSYSTEMS=="scsi", ATTRS{type}=="4|5", TAG+="udev-acl" so I don't think there is anything left to be done for udev-bugs@, rather this is app-emulation/wine problem for using old interfaces like Comment #8 already said
(In reply to Samuli Suominen from comment #9) > 50-udev-default.rules from udev-210: > > SUBSYSTEM=="block", KERNEL=="sr[0-9]*", GROUP="cdrom" > SUBSYSTEM=="scsi_generic", SUBSYSTEMS=="scsi", ATTRS{type}=="4|5", > GROUP="cdrom" > > 70-udev-acl.rules from consolekit-0.4.6: > > SUBSYSTEM=="scsi_generic", SUBSYSTEMS=="scsi", ATTRS{type}=="4|5", > TAG+="udev-acl" Result of above setup: $ ls -ld /dev/{sg*,sr*} crw-rw---- 1 root disk 21, 0 Feb 21 16:27 /dev/sg0 crw-rw----+ 1 root cdrom 21, 1 Feb 21 16:27 /dev/sg1 crw-rw---- 1 root disk 21, 2 Feb 23 10:16 /dev/sg2 crw-rw----+ 1 root cdrom 21, 3 Feb 23 10:16 /dev/sg3 brw-rw----+ 1 root cdrom 11, 0 Feb 21 16:27 /dev/sr0 brw-rw----+ 1 root cdrom 11, 1 Feb 23 10:16 /dev/sr1 Looks okay to me, group is coming from udev, ACL + is coming from ConsoleKit (or alternatively, systemd's uaccess (logind))
As comment 4 says, > we dont do development on wine here