On Mon, Oct 25, 2010 at 05:28, Xiaofan Chen <xiaofanc@xxxxxxxxx> wrote:
> On Fri, Oct 22, 2010 at 10:10 PM, Kay Sievers <kay.sievers@xxxxxxxx> wrote:
>> On Wed, Oct 20, 2010 at 16:07, Alan Stern <stern@xxxxxxxxxxxxxxxxxxx> wrote:
>>> On Wed, 20 Oct 2010, Xiaofan Chen wrote:
>>>> >From udev 163 release's 50-udev-default.rules.
>>>> # libusb device nodes
>>>> SUBSYSTEM=="usb", ENV{DEVTYPE}=="usb_device", MODE="0664"
>>>>
>>>> I wonder if this is better changed to using the "usb" or "plugdev"
>>>> group and "0660". Then it is quite easy to ask the user to
>>>> add them to the "usb" or "plugdev" group in order to use libusb
>>>> based application as non-root user.
>>
>> Users are not put into any groups for device access these days.
>>
>> Certain classes of USB devices like printers, fingerprint readers,
>> scanners, webcams, ... get ACLs assigned for locally logged-in users
>> only.
>>
>> Group permissions on devices can be used from remote-logins which
>> needs to be prevented for security reasons, like you don't want
>> anybody logged-in over ssh to enable your webcam, or listen to your
>> sound card.
>>
>
> I wonder if the default udev rule for libusb device (Mode 0664) follow your
> reasoning. I do not think group based rule (Mode 0660 and using "plugdev"
> group) is any worse than the default libusb udev rule for remote logged-in
> users.
>
> And there are plenty of group based rules in 50-udev-default.rules,
> like sound, video and firewire device.
>
> Eg: all the lines above the default libusb rules.
>
> # sound
> SUBSYSTEM=="sound", Â Â Â Â Â Â GROUP="audio"
> KERNEL=="mixer0", Â Â Â Â Â Â Â SYMLINK+="mixer"
>
> # DVB (video)
> SUBSYSTEM=="dvb", GROUP="video"
>
> # FireWire (firewire-core driver: IIDC devices, AV/C devices)
> SUBSYSTEM=="firewire", ATTR{units}=="*0x00a02d:0x00010*", GROUP="video"
> SUBSYSTEM=="firewire", ATTR{units}=="*0x00b09d:0x00010*", GROUP="video"
> SUBSYSTEM=="firewire", ATTR{units}=="*0x00a02d:0x010001*", GROUP="video"
> SUBSYSTEM=="firewire", ATTR{units}=="*0x00a02d:0x014001*", GROUP="video"
>
> # libusb device nodes
> SUBSYSTEM=="usb", ENV{DEVTYPE}=="usb_device", MODE="0664"
>
> Am I missing something obvious here?
These are groups for system daemons like video grabbers and such, and
not groups to ever put individual users in.
The commonly used groups are device-class based matches only. The
udev-managed user ACLs are also class-based only, and not bus based.
They are no unpredictable match like 'all pci devices'. For example,
we must never grant access to a USB device which contains a
usb-storage blockdevice.
You can just add such a udev rule to systems you administrate, if
that's the behavior you expect and can be sure its not a security
issue. The default udev installation does not
suggest/recommend/support anything like this.
Thanks,
Kay
--
To unsubscribe from this list: send the line "unsubscribe linux-hotplug" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
