Issue

• By default, udev sets an ACL on the CDROM device /dev/sr0 so the user using the console is given permission to access it. I would like to disable that functionality. I want to change the group and leave the default 660 permissions as they are.

• I've researched udev rules to disable uaccess but nothing I create works. Setting the following rule changes the group. The OPTIONS+="last_rule", according to documentation, should prevent further changes such as the system 70-uaccess.rules from adding theuaccess tag, It does not.

/etc/udev/rules.d/60-dta-lockdown.rules:
SUBSYSTEM=="block", ENV{ID_CDROM}=="1", GROUP="2014", OPTIONS+="last_rule"

• Running a rule after the 70-uaccess.rules to remove the tag does not work either. (This feature is likely only available in a newer version of udev/systemd.)

/etc/udev/rules.d/71-dta-lockdown2.rules:
SUBSYSTEM=="block", ENV{ID_CDROM}=="1", TAG-="uaccess"

• The only way I've gotten it to stop is to comment out the CDROM rules in /lib/udev/rules.d/70-uaccess.rules. This is not desirable since an update will replace the file and enable the functionality.