[Spice-devel] [PATCH v4] usbredir: fix redirection of user-accesible device nodes.

Michal Suchanek michal.suchanek at ruk.cuni.cz
Mon Jul 20 10:10:20 PDT 2015


Excerpts from Hans de Goede's message of Mon Jul 20 17:46:41 +0200 2015:
> Hi,
> 
> On 20-07-15 11:51, Christophe Fergeau wrote:
> > Hey,
> >
> > Looks good te me now.
> > Hans, would you mind taking a quick look at that
> > patch in case you have objections on the change (if
> > spice_usb_acl_helper_open_acl_finish() fails, try to directly open the
> > device node anyway as it may be user-accessible).
> 
> I do not think that this is the right thing todo, this means e.g.
> that if policykit / the admin explicitly denies redirection, but
> the usb device node happens to be opened up (which happens with
> e.g. scanners), then we will still redirect, this seems wrong to me.
> 
> Instead Michal should fixup his policykit so that the helper works
> for him.

Hello,

this policykit thing is spice-specific afaik.

The standard way to set up permissions which works with anything that
accesses USB devices is udev rules.

I set up udev rules to access these devices and I cannot redirect them.

In fact if Debian maintainers did not compile in support for policykit
I could redirect the devices which I can access.

So effectively compiling in support for policykit denies redirection of
perfectly accessible devices which is in my view wrong.

If your scanner devices happen to be accessible to you (probably because
you are member of the scanner group) then you can access those devices
with any random software and should be able to redirect them with spice.

It's system administrator's job to add and remove users from the scanner
group or perform other action to make the scanner devices accessible or
inaccessible to particular users.

It is not spice's job to 'correct' or 'homogenize' permissions between
policykit and device nodes. If the device is accessible it should be
redirected. If it's inaccessible it cannot be redirected. Policykit
helper is just another means to access the device.

Thanks

Michal


More information about the Spice-devel mailing list