[Spice-devel] usbredir and rights management

Frédéric Grelot fredericg_99 at yahoo.fr
Wed Feb 8 04:25:42 PST 2012 

Hi Hans,

Would it be possible to restrict this root helper to make it executable by any users of a specific group without forcing them to give the root password?
I would think of something like
helper (suid root) -> check user group -> opens up the device give and filter command to ensure that they are compliant with a "normal" access by spice client
Anyway, I think that if the user plugs something into an USB port, it is quite logical to grant him "everything" on that device : after all, if he has admin rights inside the guest, spice cannot prevent anything...
so the above would be :
helper (suid root) -> if a new device is plugged, open it, give every access to the "current" user -> give it to spice client (or transmit commands)

How does the desktop handle USB devices by the way : if I plug a USB key, what rights do I have on it? Is there some kind of filter about the commands I can issue?

Anyway, I think it is sad to require a root password for USB pass-through since it will block lots of use cases : think about any "managed" environment where the user have minimal rights on their PCs, but can still plug USB keys, webcams, smartphones, or even some more exotic devices (USB-serial converters, authentication dongle for a professional software...)

At least, if I get it right, the USB storage case should be dealt with a special layer working at filesystem level. This is a very good option for this case (probably very faster, and which provides good access control), but won't solve the problem of smartphones and dongles (I can't think of more important device that the "normal" user could plug, but those two look good...).

there must be a solution to this...

Frederic.

PS : By the way, GSoC is open, maybe this would make a good subject? What do you think? You could even propose (independently) USB right management and USB storage pass-through for example?


----- Mail original -----
> Hi,
> 
> On 02/07/2012 09:40 PM, Dominique Rodrigues wrote:
> > Hi,
> >
> > I have compiled spice-gtk (version 0.9) to support usbredir
> > (version 3.3 compiled and installed) on 2 type of OS : Mageia and
> > Debian (wheezy).
> >
> > I appears that usb redirection involves root in different ways for
> > these OS. For mageaia, you have to give root password to access to
> >  USB drives in a virtual machine,
> 
> Yes, this is expected behavior redirecting usb devices requires
> direct/raw access to the usb device. If we were
> to open up the usb device nodes far enough that this would work
> without requiring root rights any user
> could do *anything* to *any* usb device, which seems a very poor
> default.
> 
> So we have a suid root helper which opens up the usb devices for
> spice-gtk based clients, after it has
> gotten permission to do so from policykit, you can change the policy
> so that a root password is no
> longer required, see: http://hansdegoede.livejournal.com/11936.html
> Note that if you change the policy away from needing admin rights,
> that once more any user can do
> *anything* to *any* usb device!
> 
> > while in debian root does not give any possibility (access is not
> > allowed).
> 
> Then your spice-gtk is likely compiled without policykit support,
> re-run ./configure
> and checks its outpu, you are likely missing some -dev packages
> needed for the acl helper.
> 
> Regards,
> 
> Hans
> _______________________________________________
> Spice-devel mailing list
> Spice-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/spice-devel
>

More information about the Spice-devel mailing list