Why a user could run qemu virtual machine in KVM mode without access to /dev/kvm on Debian 12 (bookworm)?

One user account A, could run qemu VMs with kvm enabled, with the option -enable-kvm.

But user A does not have access to /dev/kvm. The related user groups and /dev/kvm permission is as follows.

$ id
uid=1004(A) gid=1004(A) groups=1004(A),100(users)
$ stat /dev/kvm
  File: /dev/kvm
  Size: 0               Blocks: 0          IO Block: 4096   character special file
Device: 0,5     Inode: 714         Links: 1     Device type: 10,232
Access: (0660/crw-rw----)  Uid: (    0/    root)   Gid: (  104/     kvm)

According to [SOLVED] Qemu with KVM fails, permission denied and other posts, users need to have access to /dev/kvm to use kvm-enabled qemu VMs.
This is usually done by putting a user into the group kvm.

Why user A is able to use qemu VMs with KVM?

System information:

  • Debian GNU/Linux 12 (bookworm)
  • installed with a live iso
Asked By: liginity

||
Source

On Debian (and others), /dev/kvm is managed using uaccess; essentially, this provides access to certain devices to the user logged in “at the console” (i.e. sitting in front of the computer).

You can see this in action by checking the ACLs:

getfacl /dev/kvm

This should show an ACL granting read/write access to user A.

You’ll find the relevant udev rule in /lib/udev/rules.d/70-uaccess.rules. See also What's the purpose of kvm, libvirt and libvirt-qemu groups in Linux?

Answered By: Stephen Kitt
Categories: Answers Tags: , ,
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.