[Spice-devel] [PATCH v4] usbredir: fix redirection of user-accesible device nodes.
Michal Suchanek
michal.suchanek at ruk.cuni.cz
Fri Jul 31 05:40:17 PDT 2015
Hello,
Excerpts from Michal Suchanek's message of Mon Jul 20 19:10:20 +0200 2015:
> Excerpts from Hans de Goede's message of Mon Jul 20 17:46:41 +0200 2015:
> > Hi,
> >
> > On 20-07-15 11:51, Christophe Fergeau wrote:
> > > Hey,
> > >
> > > Looks good te me now.
> > > Hans, would you mind taking a quick look at that
> > > patch in case you have objections on the change (if
> > > spice_usb_acl_helper_open_acl_finish() fails, try to directly open the
> > > device node anyway as it may be user-accessible).
> >
> > I do not think that this is the right thing todo, this means e.g.
> > that if policykit / the admin explicitly denies redirection, but
> > the usb device node happens to be opened up (which happens with
> > e.g. scanners), then we will still redirect, this seems wrong to me.
> >
> > Instead Michal should fixup his policykit so that the helper works
> > for him.
>
> Hello,
>
> this policykit thing is spice-specific afaik.
>
> The standard way to set up permissions which works with anything that
> accesses USB devices is udev rules.
>
> I set up udev rules to access these devices and I cannot redirect them.
>
> In fact if Debian maintainers did not compile in support for policykit
> I could redirect the devices which I can access.
>
> So effectively compiling in support for policykit denies redirection of
> perfectly accessible devices which is in my view wrong.
>
> If your scanner devices happen to be accessible to you (probably because
> you are member of the scanner group) then you can access those devices
> with any random software and should be able to redirect them with spice.
>
> It's system administrator's job to add and remove users from the scanner
> group or perform other action to make the scanner devices accessible or
> inaccessible to particular users.
>
> It is not spice's job to 'correct' or 'homogenize' permissions between
> policykit and device nodes. If the device is accessible it should be
> redirected. If it's inaccessible it cannot be redirected. Policykit
> helper is just another means to access the device.
>
What do I do to get this fixed?
Thanks
Michal
More information about the Spice-devel
mailing list