Web lists-archives.com

Re: lircd daemon as regular user => device access problems





Le 11 février 2017 11:46:14 GMT+01:00, Alec Leamas <leamas.alec@xxxxxxxxx> a écrit :
>
>
>On 11/02/17 10:29, Bastien Roucaries wrote:
>> Le 10 février 2017 16:13:15 GMT+01:00, Alec Leamas
><leamas.alec@xxxxxxxxx> a écrit :
>>> Dear list,
>[cut]
>>> Proposed /dev/ permissions after installing lirc:
>>>
>>> - The /dev/lirc? devices are set user:group  lirc:lirc and mode 660
>>> (udev rule).
>>> - The lirc user is added to the input group, to access /dev/input
>>> devices.
>>> - The lirc user is added to the dialout group to access /dev/ttyS
>>> devices.
>>> - The /var/lock dir is root:root 755 in my stretch box but this is
>>> seemingly #813703; assuming this will be fixed to 1777.
>>> - lirc user gets read access to all USB character devices using a
>udev
>>> rule invoking facl(1).
>>>
>>> I know that getting permission is harder than to be forgiven, but
>>> perhaps it makes sense to have a discussion first?
>>>
>>> The possibly controversial issue is the USB devices. However,
>without
>>> this rule a large part of lirc users will be forced to painful udev
>>> rules configuration
>>
>>
>> Can we list USB device needed (whitelist) ?
>
>I don't think so. The number of devices used by lircd is large, and the
>
>USB ids are not always well-defined...

>
>It might be possible to whitelist "most" devices, leaving it up to
>users 
>of "uncommon" devices to fix it on their own. More work for both
>package 
>maintainers and users, although more safe...

>
>Personally I don't think read access to character devices should be
>that 
>sensitive. The most obvious concern are hardware login dongles. Of 
>those, most seems to be mass storage devices; these are *not* covered
>by 
>the udev rule. Neither is yubikey devices.

Last time braille stuff break (brick) a FPGA device with a jtag adaptator (serial to jtag). So i really dislike package that bind to all char device.

Btw if you do this you need a break on braille stuff...

Could we have both ?
A whitelist of well know device ans a package (suggested) lirc-usb that catch all... If you need lirc-usb please film a bug ?

Thanks

Bastien

>Also, whatever risks there are we are already taking them when running 
>lircd as root.
>
>
>--alec

-- 
Envoyé de mon appareil Android avec K-9 Mail. Veuillez excuser ma brièveté.