[Spice-devel] usbredir and rights management

[Hans de Goede]

Hi,

On 02/08/2012 01:25 PM, Frédéric Grelot wrote:
> Hi Hans,
>
> Would it be possible to restrict this root helper to make it executable by any users of a specific group without forcing them to give the root password?
> I would think of something like
> helper (suid root) ->  check user group ->  opens up the device give and filter command to ensure that they are compliant with a "normal" access by spice client
> Anyway, I think that if the user plugs something into an USB port, it is quite logical to grant him "everything" on that device : after all, if he has admin rights inside the guest, spice cannot prevent anything...
> so the above would be :
> helper (suid root) ->  if a new device is plugged, open it, give every access to the "current" user ->  give it to spice client (or transmit commands)
>
> How does the desktop handle USB devices by the way : if I plug a USB key, what rights do I have on it? Is there some kind of filter about the commands I can issue?
>
> Anyway, I think it is sad to require a root password for USB pass-through since it will block lots of use cases : think about any "managed" environment where the user have minimal rights on their PCs, but can still plug USB keys, webcams, smartphones, or even some more exotic devices (USB-serial converters, authentication dongle for a professional software...)

As mentioned in my original mail, the helper uses PolicyKit to ask for
permission to redirect the device, it is PolicyKit which asks for the
root password, not the helper. In the blog post I linked to are
instructions to change the policy so that local (so behind the
keyboard of the actual machine) users don't need to enter any
password at all.

Making these kind of (security) policy decisions configurable is
exactly what PolicyKit is intended for. The root password asking
is caused by spice-gtk shipping with what I consider is a sane
default policy. Changing this is easy.

Regards,

Hans