Web lists-archives.com

Re: lircd daemon as regular user => device access problems






On 11/02/17 10:29, Bastien Roucaries wrote:
Le 10 février 2017 16:13:15 GMT+01:00, Alec Leamas <leamas.alec@xxxxxxxxx> a écrit :
Dear list,
[cut]
Proposed /dev/ permissions after installing lirc:

- The /dev/lirc? devices are set user:group  lirc:lirc and mode 660
(udev rule).
- The lirc user is added to the input group, to access /dev/input
devices.
- The lirc user is added to the dialout group to access /dev/ttyS
devices.
- The /var/lock dir is root:root 755 in my stretch box but this is
seemingly #813703; assuming this will be fixed to 1777.
- lirc user gets read access to all USB character devices using a udev
rule invoking facl(1).

I know that getting permission is harder than to be forgiven, but
perhaps it makes sense to have a discussion first?

The possibly controversial issue is the USB devices. However, without
this rule a large part of lirc users will be forced to painful udev
rules configuration


Can we list USB device needed (whitelist) ?

I don't think so. The number of devices used by lircd is large, and the USB ids are not always well-defined...

It might be possible to whitelist "most" devices, leaving it up to users of "uncommon" devices to fix it on their own. More work for both package maintainers and users, although more safe...

Personally I don't think read access to character devices should be that sensitive. The most obvious concern are hardware login dongles. Of those, most seems to be mass storage devices; these are *not* covered by the udev rule. Neither is yubikey devices.

Also, whatever risks there are we are already taking them when running lircd as root.


--alec