Re: [PATCH spice-gtk] acl-helper policykit policy: Allow redir by default for console users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Looks good, ACK

Christophe

On Thu, Dec 20, 2012 at 10:01:12PM +0100, Hans de Goede wrote:
> This makes usb-redir a lot more userfriendly to use. This  has been
> discussed with the security team and they are ok with it, rationale:
> 
> Since we only set <allow_active> to yes, we only give raw usb access
> to users *physically present behind the machine*. This is ok since
> they already have full control over usb devices anyways, they can
> always just unplug the device and put it in a user controlled machine.
> 
> This follows how we already grant a great deal of access to users
> *physically present behind the machine* including dangerous things like
> /dev/sg access for cd/dvd writers. And raw usb access to all devices which
> happen to have a userspace driver rather then an in kernel driver.
> 
> Also the opening up is limited compared to the existing opening up of
> other devices listed above in that:
> 
> 1) It will only happen on machines which have spice-glib installed
> 2) We are not opening up the device nodes rights automatically, as an udev rule
> would do. So there is no chance that any random app can start (accidentally)
> poking the devices.
> 
> Signed-off-by: Hans de Goede <hdegoede@xxxxxxxxxx>
> ---
>  data/org.spice-space.lowlevelusbaccess.policy | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/data/org.spice-space.lowlevelusbaccess.policy b/data/org.spice-space.lowlevelusbaccess.policy
> index 170f5ff..535ee31 100644
> --- a/data/org.spice-space.lowlevelusbaccess.policy
> +++ b/data/org.spice-space.lowlevelusbaccess.policy
> @@ -13,7 +13,7 @@
>      <message>Privileges are required for low level USB device access (for usb device pass through).</message>
>      <defaults>
>        <allow_inactive>no</allow_inactive>
> -      <allow_active>auth_admin_keep</allow_active>
> +      <allow_active>yes</allow_active>
>      </defaults>
>    </action>
>  
> -- 
> 1.8.0.2
> 
> _______________________________________________
> Spice-devel mailing list
> Spice-devel@xxxxxxxxxxxxxxxxxxxxx
> http://lists.freedesktop.org/mailman/listinfo/spice-devel

Attachment: pgpDJGyZy_Xwy.pgp
Description: PGP signature

_______________________________________________
Spice-devel mailing list
Spice-devel@xxxxxxxxxxxxxxxxxxxxx
http://lists.freedesktop.org/mailman/listinfo/spice-devel
[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]     [Monitors]