[Spice-devel] [PATCH spice-gtk] acl-helper policykit policy: Allow redir by default for console users
Christophe Fergeau
cfergeau at redhat.com
Fri Dec 21 01:15:43 PST 2012
Looks good, ACK
Christophe
On Thu, Dec 20, 2012 at 10:01:12PM +0100, Hans de Goede wrote:
> This makes usb-redir a lot more userfriendly to use. This has been
> discussed with the security team and they are ok with it, rationale:
>
> Since we only set <allow_active> to yes, we only give raw usb access
> to users *physically present behind the machine*. This is ok since
> they already have full control over usb devices anyways, they can
> always just unplug the device and put it in a user controlled machine.
>
> This follows how we already grant a great deal of access to users
> *physically present behind the machine* including dangerous things like
> /dev/sg access for cd/dvd writers. And raw usb access to all devices which
> happen to have a userspace driver rather then an in kernel driver.
>
> Also the opening up is limited compared to the existing opening up of
> other devices listed above in that:
>
> 1) It will only happen on machines which have spice-glib installed
> 2) We are not opening up the device nodes rights automatically, as an udev rule
> would do. So there is no chance that any random app can start (accidentally)
> poking the devices.
>
> Signed-off-by: Hans de Goede <hdegoede at redhat.com>
> ---
> data/org.spice-space.lowlevelusbaccess.policy | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/data/org.spice-space.lowlevelusbaccess.policy b/data/org.spice-space.lowlevelusbaccess.policy
> index 170f5ff..535ee31 100644
> --- a/data/org.spice-space.lowlevelusbaccess.policy
> +++ b/data/org.spice-space.lowlevelusbaccess.policy
> @@ -13,7 +13,7 @@
> <message>Privileges are required for low level USB device access (for usb device pass through).</message>
> <defaults>
> <allow_inactive>no</allow_inactive>
> - <allow_active>auth_admin_keep</allow_active>
> + <allow_active>yes</allow_active>
> </defaults>
> </action>
>
> --
> 1.8.0.2
>
> _______________________________________________
> Spice-devel mailing list
> Spice-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/spice-devel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/spice-devel/attachments/20121221/0b24bc5c/attachment.pgp>
More information about the Spice-devel
mailing list