Video device ownership

Hello,

I’ve been looking into the multimedia and pipewire setups and I stumbled upon a more or less stupid question… So pipewire is running as a systemd socket activated user service… Now my first question is it how does it access the /dev/video* and /dev/snd/* devices…

At a first glance these devices are owned by root:video in the case of video devices…

romh@fedora:~$ ls -la /dev/video*
crw-rw----+ 1 root video 81, 0 Nov 12 08:59 /dev/video0
crw-rw----+ 1 root video 81, 1 Nov 12 08:59 /dev/video1

I think the reason pipewire can access the devices is because something changes the acl to the current effective user and this is the user pipewire is running as.

romh@fedora:~$ getfacl /dev/video0
getfacl: Removing leading '/' from absolute path names
# file: dev/video0
# owner: root
# group: video
user::rw-
user:romh:rw-
group::rw-
mask::rw-
other::---

When I create a new user and switch to this user using gnome interface, I can clearly see the FACL is updated to this new user and of course my new user can access libcamera etc…

So my question is what exactly changes the ACL… I am thinking it could be systemd-logind or polkit or udevadm, but I looked in the configuration files and I am not sure, would appreciate any insight or pointing in the right directions…

Thank you in advance

I’m not the expert here, but this could be a clue

I asked in #pipewire how users access the webcam devics. systemd-logind changes the ACL for the webcam devices so that the logged-in user can access the webcam device.

4 Likes

I think you are right… Although I was expecting to find some rule in systemd that explicitly calls setfacl, I think the reality is that this is happening in the source code of systemd-logind.

For example in src/login/logind-seat.c part of logind there is a function trail that goes something like this seat_apply_acls → devnode_acl_all → devnode_acl → acl_create_entry,acl_add_perm

and these last functions I think are from libacl.

romh@fedora:~$ ldd /usr/lib/systemd/systemd-logind
	linux-vdso.so.1 (0x00007ff90da5f000)
	libsystemd-shared-256.7-1.fc41.so => /usr/lib64/systemd/libsystemd-shared-256.7-1.fc41.so (0x00007ff90d400000)
	libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007ff90d9c6000)
	libc.so.6 => /lib64/libc.so.6 (0x00007ff90d20e000)
	libacl.so.1 => /lib64/libacl.so.1 (0x00007ff90d9bc000)
       ....

Although I am not 100% sure, I know that I failed so far to find some explicit text rules and as we can see systemd-logind executable seems to contain indeed some libacl calls and changes to device nodes so I think you are right… I will mark your answer as approved and if someone find something I missed we can revert to this discussion

Thank you

1 Like