Which rights do scripts have that are triggered by a udev rule?

Question

From what I understand I can create a udev rule to run a script e.g. when a USB device is plugged in:

SUBSYSTEMS=="usb", ATTRS{idVendor}=="0123", ATTRS{idProduct}=="0815", SYMLINK+="mydevice", ACTION=="add", RUN+="/path/to/my/script.sh"

My question is now, which rights does this script have?

I found two questions that relate to the subject:

• Does udev need sudo in run: the problem was elsewhere and the question in the title was never answered
• Notification not showing up by script run by udev rules: an answer says to “use sudo to run notify-send as same user (Not as root)”, which to me implies that a) the script has the right to sudo and b) would run as root if you don’t specify the user

I could not find any documentation that went beyond stating that the RUN parameter exists for udev rules concerning its rights and abilities.

Answer 1

Generally, unless otherwise specified, programs started by something are run as the same user as that something. In this case, that's systemd-udevd, and it runs as root, so the programs are run as root (which is why you need to use sudo to run as another user).

Even so, there are some limitations:

Note that running programs that access the network or mount/unmount filesystems is not allowed inside of udev rules, due to the default sandbox that is enforced on systemd-udevd.service.