Non-root guest doesn't have permission to access sys-fs USB devices
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
QEMU |
Won't Fix
|
Undecided
|
Unassigned | ||
kvm (Ubuntu) |
Won't Fix
|
Wishlist
|
Unassigned | ||
qemu (Ubuntu) |
Won't Fix
|
Wishlist
|
Unassigned |
Bug Description
Binary package hint: kvm
Since kvm-83 in Jaunty, KVM/QEMU has supported /sys/ file-system access to USB devices.
There is, however, an issue with insufficient permissions for a non-root KVM/QEMU guest to access host USB devices.
There was discussion of this issue as part of bug #156085 "Could not open /proc/bus/
In the PPA packages I built of kvm-74 which included my sys-fs patches I also included a revised man-page that explained how to enable permissions.
If the guest is running as non-root the permissions to /dev/bus/usb/*/* will need altering
to allow the VM read/write access to the USB devices.
Create a new group "vm" and add users that require USB access for VMs to it:
sudo addgroup vm
sudo addgroup $USER vm
Add a udev rule to assign USB devices to the vm group:
# Virtual Machine hypervisor access to USB devices
Save the file as /etc/udev/
sudo /etc/init.d/udev restart
The guest virtual machines should now be able to access the USB devices without root priv‐
ileges.
There was quite a bit of discussion between myself, Matt Zimmerman and Martin Pitt from 2008-09-05 onwards about this but no decision made on how to proceed.
This bug is intended to focus the attention on the permissions issue.
Changed in kvm: | |
importance: | Undecided → Wishlist |
Changed in qemu (Ubuntu): | |
importance: | Undecided → Wishlist |
status: | New → Confirmed |
Note that other user-level applications require write access to the raw USB devices. One example is "fxload", which is a firmware loader for Cypress FX2 EZ-USB interface chips. These are very common on FPGA development boards.
I worked around this as above, by assigning the plugdev group to the files via udev, but clearly a better solution is needed as the original kvm bug points out that the "groups- as-permission- domains" model is going away (a dumb idea IMHO -- replacing one access control model that's worked well for decades with a dozen mutually- incompatible domain-specific ones seems awfully overcomplicated to me...).