How is the ACL set on USB-devices?

Apparently the user knut has additional rw permissions here. But how did he get them?

Is the user "knut" logged in at the console? On many recent Linux systems, udev grants device access based on who is currently logged on.

(Here "console" means the main display+keyboard attached directly to the computer – whether it's text-mode or graphical has no relevance.)

Older versions (including Debian 6) have rules with TAGS+="udev-acl" and obtain the session status from ConsoleKit if present, pam_console otherwise. Check who, the contents of /var/run/console, and perhaps ck-list-sessions. These mechanisms are relatively simple – if the user is logged in to the "console", they get access, otherwise not.

Distributions using systemd take the same information from systemd-logind and use the "uaccess" tag instead. In addition to the console, logind additionally supports "multi-seat" systems, where multiple users can work on multiple displays at once, with each having an assigned USB port.

If you want to bypass this and grant access to other users, you can use traditional "group" permissions for this – write an udev rule assigning your device to GROUP="camera-users" and add people to that group.

After toggling the camera on and off ones it actually gets mounted on another device:

ulf@term13:~(0)$ lsusb | grep Nikon
Bus 001 Device 093: ID 04b0:0428 Nikon Corp. 

On Linux (and generally Unixes), 'mount' refers to attaching a filesystem to some directory ("/dev/sda2 is mounted on /boot" – the filesystem which /dev/sda2 contains was made accessible at /boot). Meanwhile USB device numbers are just numbers, assigned sequentially; this doesn't constitute 'mounting' the device.