Overriding permissions from udev sample rules

Bryan Kadzban bryan at kadzban.is-a-geek.net
Sat Oct 13 17:00:40 PDT 2007

Hash: RIPEMD160

I've gotten a bit of time this weekend to look at what it would take to
upgrade udev in the development book.  I've looked through 25-lfs.rules
and tried to remove as many rules as possible (all the rules that were
duplicated in udev's new 50-udev-default.rules file in current udev git;
there were several bugfixes put in there since -115 was released).

There's one problematic area here, though: permissions.  The default
udev file assigns different permissions than we do in several areas, and
uses a different group than we do in others.  This wouldn't be a huge
problem, because we should just be able to move 25-lfs.rules to run
after 50-udev-default.rules, and override the permissions that get set

The problem with this is that some of the rules have the "last_rule"
option applied to them, so they *can't* be overridden.  (This applies to
most of the TTY-style devices.)  Personally, I think this is a bug in
udev; it should not be installing rules that there's no way to override,
if those rules assign permissions; permissions should be assigned by the
distro or admin.  (The last_rule options are there because this file was
copied from SuSE, and it had them.  I don't know why they were in SuSE's
rules, though.)

I can see a few different options.  First, we could simply remove the
last_rule options, e.g. with the following sed:

sed -i 's/, OPTIONS="last_rule"//' 50-udev-default.rules

since nothing that has this option set should have it.

Second, we could set the MODE and/or GROUP ourselves before 50-, and use
the := assignment operator, so the last_rule rules can't override them.

Third, we could try to get udev to remove this option, or at least
explain why it's there (actually I think I'll try to do the latter anyway).

The advantage of option 1 over option 2 is that we can keep all our
customizations in a single file; option 2 would require the TTY mode and
group changes to be split out into a file that runs before 50-, and
everything else into a file that runs after 50-.  (And nothing prevents
other rules in 50- from interfering with other custom permissions in the
future, either.)

The disadvantage of option 1 is that every time the user upgrades udev,
they have to re-run the sed.  According to the comments in the rules
files, those files get replaced every time udev gets reinstalled or
upgraded.  (Of course, the udev-115 Makefile disagrees: it only installs
the files if the target files are not readable or not there.  But I'd
rather not rely on that if the files themselves say they can be

Option 3 will be slow -- but then again, this will probably take a while
to fix anyway, and I'd already like to wait for -116.  So maybe we
should just do that.


(There's at least one other issue preventing upgrade: the persistent
network script's "all_interfaces" code has been removed, so even with
this figured out, we can't upgrade right away.  But we do need it to be
figured out.)
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the lfs-dev mailing list