How can I enforce persistent ACLs on startup for /dev/video* devices?

Rob asked:

I have a USB webcam on /dev/video0 that I’m trying to access before a user logs in (to be precise, I have an Azure IoT Edge container running on an Ubuntu 18.04 instance that needs to run in headless mode, and the box needs to be able to be power cycled without someone having to physically log in every time).

If I first physically log in on the box, the ACLs are set properly for /dev/video0, and my container (which runs under myuser) can happily access /dev/video0:

[email protected]:~$ sudo getfacl /dev/video0
getfacl: Removing leading '/' from absolute path names
# file: dev/video0
# owner: root
# group: video
user::rw-
user:myuser:rw-
group::rw-
mask::rw-
other::---

But if I do not physically log in on the box (e.g. right after a reboot), my user’s account (myuser) never gets ACL access to /dev/video0 (instead, the gdm user gets it).

[email protected]:~$ sudo getfacl /dev/video0
getfacl: Removing leading '/' from absolute path names
# file: dev/video0
# owner: root
# group: video
user::rw-
user:gdm:rw-
group::rw-
mask::rw-
other::---

I’m 99% sure this is an ACL problem, because when I ssh into the box (before physically logging in), and manually add myuser to the ACL list for /dev/video0, my container can again happily access /dev/video0.

My question: how can I ensure that on startup, when /dev/video0 is mounted, that this automatically happens:

sudo setfacl -m u:myuser:rw /dev/video0

Adding myuser to the video group does not work (ACLs seem broken on Ubuntu in this respect):

sudo usermod -a -G video myuser

I’ve tried every variation I can possibly think of RE: groups, with no impact. It seems like I really need to automatically add myuser to the ACL for /dev/video0 when Ubuntu starts, but I am unsure how to do that. Any ideas?

My answer:


To be extremely precise, you need to start this before Docker starts your container.

So you can add a drop-in for the Docker systemd unit, to run whatever you wish prior to Docker starting.

For instance, I would create a systemd drop-in like this:

sudo mkdir -p /etc/systemd/system/docker.service.d
cat <<EOF | sudo tee /etc/systemd/system/docker.service.d/video-permissions.conf
[Service]
ExecStartPre=/usr/bin/setfacl -m u:myuser:rw /dev/video0
EOF

At this point, whenever Docker starts, the indicated command will be run beforehand.


View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.