systemd: Set /dev/kvm mode to 0660

The default /dev/kvm mode is 0666 and we consider it "not so safe". Like Tim said: "I'm also authenticating to my system all the time and don't do a chmod -R 777 / after every boot." With this option, the /dev/kvm mode is set to 0660 and it's tagged "uaccess" so systemd-logind will add an ACL entry for users logged-in locally.
2025-06-18 19:29:21 +01:00 · 2023-04-10 16:00:34 +08:00 · 2023-04-10 16:00:34 +08:00 · dfde6640eb
commit dfde6640eb
parent e9ab2b3af0
1 changed files with 10 additions and 0 deletions
--- a/chapter08/systemd.xml
+++ b/chapter08/systemd.xml
@ -66,6 +66,7 @@ meson --prefix=/usr                 \
      -Dman=false                   \
      -Dmode=release                \
      -Dpamconfdir=no               \
+      -Ddev-kvm-mode=0660           \
      -Ddocdir=/usr/share/doc/systemd-&systemd-version; \
      ..</userinput></screen>

@ -167,6 +168,15 @@ meson --prefix=/usr                 \
          functional on LFS.</para>
        </listitem>
      </varlistentry>
+
+      <varlistentry>
+        <term><parameter>-Ddev-kvm-mode=0660</parameter></term>
+        <listitem>
+          <para>The default udev rule would allow all users to access
+          <filename class='devicefile'>/dev/kvm</filename>.  The editors
+          consider it dangerous.  This option overrides it.</para>
+        </listitem>
+      </varlistentry>
    </variablelist>

    <para>Compile the package:</para>