Bug 1257145

Summary: Test case failure: /CoreOS/udev/Security/bz174845-CVE-2005-3631-dev_input-incorrect-permissions
Product: Red Hat Enterprise Linux 7 Reporter: Karel Volný <kvolny>
Component: systemdAssignee: systemd-maint
Status: CLOSED DUPLICATE QA Contact: qe-baseos-daemons
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.2CC: harald, lnykryn, systemd-maint-list, udev-maint-list
Target Milestone: rcKeywords: Regression, Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-10-07 14:12:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Karel Volný 2015-08-26 11:07:58 UTC 
Filed from caserun https://tcms.engineering.redhat.com/run/257964/#caserun_10670108

Version-Release number of selected component (if applicable):
RHEL-7.2-20150820.0

Steps to Reproduce: 
run /CoreOS/udev/Security/bz174845-CVE-2005-3631-dev_input-incorrect-permissions


Actual results: 
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Test permissions
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   FAIL   ] :: Are the perms of /dev/input//by-path/platform-i8042-serio-0-event-kbd target equal to 600? (Assert: '660' should equal '600')
:: [   PASS   ] :: Is the user of /dev/input//by-path/platform-i8042-serio-0-event-kbd target equal to root? (Assert: 'root' should equal 'root')
:: [   FAIL   ] :: Is the group of /dev/input//by-path/platform-i8042-serio-0-event-kbd target equal to root? (Assert: 'input' should equal 'root')
:: [   FAIL   ] :: Are the perms of /dev/input//by-path/platform-i8042-serio-1-event-mouse target equal to 600? (Assert: '660' should equal '600')
:: [   PASS   ] :: Is the user of /dev/input//by-path/platform-i8042-serio-1-event-mouse target equal to root? (Assert: 'root' should equal 'root')
:: [   FAIL   ] :: Is the group of /dev/input//by-path/platform-i8042-serio-1-event-mouse target equal to root? (Assert: 'input' should equal 'root')
:: [   FAIL   ] :: Are the perms of /dev/input//by-path/platform-i8042-serio-1-mouse target equal to 600? (Assert: '660' should equal '600')
:: [   PASS   ] :: Is the user of /dev/input//by-path/platform-i8042-serio-1-mouse target equal to root? (Assert: 'root' should equal 'root')
:: [   FAIL   ] :: Is the group of /dev/input//by-path/platform-i8042-serio-1-mouse target equal to root? (Assert: 'input' should equal 'root')
:: [   FAIL   ] :: Are the perms of /dev/input//by-path/platform-pcspkr-event-spkr target equal to 600? (Assert: '660' should equal '600')
:: [   PASS   ] :: Is the user of /dev/input//by-path/platform-pcspkr-event-spkr target equal to root? (Assert: 'root' should equal 'root')
:: [   FAIL   ] :: Is the group of /dev/input//by-path/platform-pcspkr-event-spkr target equal to root? (Assert: 'input' should equal 'root')
:: [   FAIL   ] :: Are the perms of /dev/input//event0 equal to 600? (Assert: '660' should equal '600')
:: [   PASS   ] :: Is the user of /dev/input//event0 equal to root? (Assert: 'root' should equal 'root')
:: [   FAIL   ] :: Is the group of /dev/input//event0 equal to root? (Assert: 'input' should equal 'root')
:: [   FAIL   ] :: Are the perms of /dev/input//event1 equal to 600? (Assert: '660' should equal '600')
:: [   PASS   ] :: Is the user of /dev/input//event1 equal to root? (Assert: 'root' should equal 'root')
:: [   FAIL   ] :: Is the group of /dev/input//event1 equal to root? (Assert: 'input' should equal 'root')
:: [   FAIL   ] :: Are the perms of /dev/input//event2 equal to 600? (Assert: '660' should equal '600')
:: [   PASS   ] :: Is the user of /dev/input//event2 equal to root? (Assert: 'root' should equal 'root')
:: [   FAIL   ] :: Is the group of /dev/input//event2 equal to root? (Assert: 'input' should equal 'root')
:: [   FAIL   ] :: Are the perms of /dev/input//event3 equal to 600? (Assert: '660' should equal '600')
:: [   PASS   ] :: Is the user of /dev/input//event3 equal to root? (Assert: 'root' should equal 'root')
:: [   FAIL   ] :: Is the group of /dev/input//event3 equal to root? (Assert: 'input' should equal 'root')
:: [   FAIL   ] :: Are the perms of /dev/input//mice equal to 600? (Assert: '660' should equal '600')
:: [   PASS   ] :: Is the user of /dev/input//mice equal to root? (Assert: 'root' should equal 'root')
:: [   FAIL   ] :: Is the group of /dev/input//mice equal to root? (Assert: 'input' should equal 'root')
:: [   FAIL   ] :: Are the perms of /dev/input//mouse0 equal to 600? (Assert: '660' should equal '600')
:: [   PASS   ] :: Is the user of /dev/input//mouse0 equal to root? (Assert: 'root' should equal 'root')
:: [   FAIL   ] :: Is the group of /dev/input//mouse0 equal to root? (Assert: 'input' should equal 'root')
:: [   LOG    ] :: Duration: 1s
:: [   LOG    ] :: Assertions: 10 good, 20 bad
:: [   FAIL   ] :: RESULT: Test permissions


Expected results:
the permissions should be 600, as per discussion in bug 1072324
Comment 3 Harald Hoyer 2015-08-26 13:10:10 UTC 
Due to the systemd rebase we now have a newer systemd, which has assigned group "input" assigned to /dev/input/* and thus permission 0660.

This follows the systemd upstream behaviour and is the same on newer Fedora.
Comment 4 Lukáš Nykrýn 2015-09-01 08:04:10 UTC 
As Harald mentioned this is expected behavior.
Comment 5 Karel Volný 2015-10-07 13:22:25 UTC 
(In reply to Harald Hoyer from comment #3)
> Due to the systemd rebase we now have a newer systemd, which has assigned
> group "input" assigned to /dev/input/* and thus permission 0660.

this is a change of behaviour within the scope of one major release of RHEL

I believe it deserves better explanation than "due to systemd", especially considering the fact that it had already been decided to set the permissions in some different way in the past - what has changed so that the previous decision is now wrong?

if nothing else, this has to be documented
Comment 6 Lukáš Nykrýn 2015-10-07 13:47:51 UTC 
> if nothing else, this has to be documented

It is.

https://access.redhat.com/articles/1611383

A new system group "input" has been introduced, and all input device nodes get this group assigned. This enables for system-level software to get access to input devices and complements what is already provided for "audio" and "video".
Comment 7 Karel Volný 2015-10-13 15:37:52 UTC 
(In reply to Lukáš Nykrýn from comment #6)
> > if nothing else, this has to be documented
> 
> It is.
> 
> https://access.redhat.com/articles/1611383

ah, ok, thanks

once upon a time, there used to be such info in Doc text in Bugzilla ...

*** This bug has been marked as a duplicate of bug 1199644 ***