I’ve been looking into the multimedia and pipewire setups and I stumbled upon a more or less stupid question… So pipewire is running as a systemd socket activated user service… Now my first question is it how does it access the /dev/video* and /dev/snd/* devices…
At a first glance these devices are owned by root:video in the case of video devices…
romh@fedora:~$ ls -la /dev/video*
crw-rw----+ 1 root video 81, 0 Nov 12 08:59 /dev/video0
crw-rw----+ 1 root video 81, 1 Nov 12 08:59 /dev/video1
I think the reason pipewire can access the devices is because something changes the acl to the current effective user and this is the user pipewire is running as.
romh@fedora:~$ getfacl /dev/video0
getfacl: Removing leading '/' from absolute path names
# file: dev/video0
# owner: root
# group: video
user::rw-
user:romh:rw-
group::rw-
mask::rw-
other::---
When I create a new user and switch to this user using gnome interface, I can clearly see the FACL is updated to this new user and of course my new user can access libcamera etc…
So my question is what exactly changes the ACL… I am thinking it could be systemd-logind or polkit or udevadm, but I looked in the configuration files and I am not sure, would appreciate any insight or pointing in the right directions…
I asked in #pipewire how users access the webcam devics. systemd-logind changes the ACL for the webcam devices so that the logged-in user can access the webcam device.
I think you are right… Although I was expecting to find some rule in systemd that explicitly calls setfacl, I think the reality is that this is happening in the source code of systemd-logind.
For example in src/login/logind-seat.c part of logind there is a function trail that goes something like this seat_apply_acls → devnode_acl_all → devnode_acl → acl_create_entry,acl_add_perm
Although I am not 100% sure, I know that I failed so far to find some explicit text rules and as we can see systemd-logind executable seems to contain indeed some libacl calls and changes to device nodes so I think you are right… I will mark your answer as approved and if someone find something I missed we can revert to this discussion