[Spice-devel] usbredir and rights management
Hans de Goede
hdegoede at redhat.com
Wed Feb 8 07:03:54 PST 2012
On 02/08/2012 03:55 PM, Frédéric Grelot wrote:
>> As mentioned in my original mail, the helper uses PolicyKit to ask
>> permission to redirect the device, it is PolicyKit which asks for the
>> root password, not the helper. In the blog post I linked to are
>> instructions to change the policy so that local (so behind the
>> keyboard of the actual machine) users don't need to enter any
>> password at all.
>> Making these kind of (security) policy decisions configurable is
>> exactly what PolicyKit is intended for. The root password asking
>> is caused by spice-gtk shipping with what I consider is a sane
>> default policy. Changing this is easy.
> Sorry, I didn't see the link. It explains a lot.
> Still, I don't know how PolicyKit works (based on policy I imagine?), but it would be a good idea to add a policy allowing newly plugged USB devices (as opposed to devices already present at spice client startup) to be used in a different manner (and the admin can set it to "no password" if he wants to). This would mitigate the issue that you pointed out where "this will give any local users of your machine FULL access to any USB devices plugged in!"
The suid helper is a short-lived process, which gets invoked
after a new device has been plugged in, so it cannot differentiate
between newly plugged in and already present devices. Besides that
plugging in devices requires physical access, what is to stop a user
from unplugging and re-plugging a device he wants to get access to,
thereby making it a newly plugged in device?
More information about the Spice-devel