Re: [PATCH v4] usbredir: fix redirection of user-accesible device nodes.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,

Excerpts from Michal Suchanek's message of Mon Jul 20 19:10:20 +0200 2015:
> Excerpts from Hans de Goede's message of Mon Jul 20 17:46:41 +0200 2015:
> > Hi,
> > 
> > On 20-07-15 11:51, Christophe Fergeau wrote:
> > > Hey,
> > >
> > > Looks good te me now.
> > > Hans, would you mind taking a quick look at that
> > > patch in case you have objections on the change (if
> > > spice_usb_acl_helper_open_acl_finish() fails, try to directly open the
> > > device node anyway as it may be user-accessible).
> > 
> > I do not think that this is the right thing todo, this means e.g.
> > that if policykit / the admin explicitly denies redirection, but
> > the usb device node happens to be opened up (which happens with
> > e.g. scanners), then we will still redirect, this seems wrong to me.
> > 
> > Instead Michal should fixup his policykit so that the helper works
> > for him.
> 
> Hello,
> 
> this policykit thing is spice-specific afaik.
> 
> The standard way to set up permissions which works with anything that
> accesses USB devices is udev rules.
> 
> I set up udev rules to access these devices and I cannot redirect them.
> 
> In fact if Debian maintainers did not compile in support for policykit
> I could redirect the devices which I can access.
> 
> So effectively compiling in support for policykit denies redirection of
> perfectly accessible devices which is in my view wrong.
> 
> If your scanner devices happen to be accessible to you (probably because
> you are member of the scanner group) then you can access those devices
> with any random software and should be able to redirect them with spice.
> 
> It's system administrator's job to add and remove users from the scanner
> group or perform other action to make the scanner devices accessible or
> inaccessible to particular users.
> 
> It is not spice's job to 'correct' or 'homogenize' permissions between
> policykit and device nodes. If the device is accessible it should be
> redirected. If it's inaccessible it cannot be redirected. Policykit
> helper is just another means to access the device.
> 

What do I do to get this fixed?

Thanks

Michal
_______________________________________________
Spice-devel mailing list
Spice-devel@xxxxxxxxxxxxxxxxxxxxx
http://lists.freedesktop.org/mailman/listinfo/spice-devel




[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]     [Monitors]