[Spice-devel] usbredir and rights management

Frédéric Grelot fredericg_99 at yahoo.fr
Wed Feb 8 07:13:03 PST 2012


> The suid helper is a short-lived process, which gets invoked
> after a new device has been plugged in, so it cannot differentiate
> between newly plugged in and already present devices. Besides that
> plugging in devices requires physical access, what is to stop a user
> from unplugging and re-plugging a device he wants to get access to,
> thereby making it a newly plugged in device?

That's a good point :-)
In my mind, "already present devices" represent internal USB devices, like internal hubs, fingerprint reader, internal webcam, or, in my laptop, the integrated "trusted platform processor". I'm not an expert, but I can't see any disadvantage in disabling access to all these devices : they are not necessary, and the more you restrict, the less harm the user will be able to do.
In the last case (Trusted Platform Processor), maybe giving all access to the device would allow some form of attack, which would be harder with the above-mentionned option. Maybe the filter can cover this option, but the "block by default, authorize only new devices" solution look more secure/flexible to me.

Frederic.

> 
> Regards,
> 
> Hans
> 


More information about the Spice-devel mailing list