[Spice-devel] usbredir and rights management
Frédéric Grelot
fredericg_99 at yahoo.fr
Wed Feb 8 06:55:26 PST 2012
>
> As mentioned in my original mail, the helper uses PolicyKit to ask
> for
> permission to redirect the device, it is PolicyKit which asks for the
> root password, not the helper. In the blog post I linked to are
> instructions to change the policy so that local (so behind the
> keyboard of the actual machine) users don't need to enter any
> password at all.
>
> Making these kind of (security) policy decisions configurable is
> exactly what PolicyKit is intended for. The root password asking
> is caused by spice-gtk shipping with what I consider is a sane
> default policy. Changing this is easy.
>
Sorry, I didn't see the link. It explains a lot.
Still, I don't know how PolicyKit works (based on policy I imagine?), but it would be a good idea to add a policy allowing newly plugged USB devices (as opposed to devices already present at spice client startup) to be used in a different manner (and the admin can set it to "no password" if he wants to). This would mitigate the issue that you pointed out where "this will give any local users of your machine FULL access to any USB devices plugged in!"
Frederic.
> Regards,
>
> Hans
>
More information about the Spice-devel
mailing list