Bug 1370782

Summary: World writable /dev/ttyUSB* and /dev/ttyACM* with 3dprinter-udev-rules
Product: [Fedora] Fedora Reporter: Doncho Gunchev <dgunchev>
Component: 3dprinter-udev-rulesAssignee: Miro Hrončok <mhroncok>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 24CC: mhroncok
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 3dprinter-udev-rules-0.2-1.fc25 3dprinter-udev-rules-0.2-1.fc23.1 3dprinter-udev-rules-0.2-1.fc24 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-09-17 19:19:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Doncho Gunchev 2016-08-27 09:11:44 UTC
Description of problem:
With file mode of 666 any user (even nobody) can write to a character device (say SeLinux is permissive/disabled). I was quite surprised Fedora took such insecure path after upgrading from 22 to 24. The dialout (or any other group) with mode 660 looks way better.

Version-Release number of selected component (if applicable):
any

How reproducible:
always


Steps to Reproduce:
1. Install/upgrade to Fedora 24


Actual results:
/dev/ttyUSB* and /dev/ttyACM* have file mode 0666.


Expected results:
/dev/ttyUSB* and /dev/ttyACM* have file mode 0660 and special group.


Additional info:
Removing the package also removes cura, plater, etc...
One has to either override or edit /usr/lib/udev/rules.d/66-3dprinter.rules.

Comment 1 Miro Hrončok 2016-08-27 09:40:00 UTC
You say this is insecure when you install Fedora? It is designed to be "insecure" once you have that package.

If you have a proper fix for this in mind, please suggest. The reason for this package was that the users will not have to add themselves to the dialout group.

Also, how dangerous this exactly is? I have no idea, so if you provide an example of an actual damage that could be done, I might reconsider this approach and go back to how it was before.

There is new approach being designed at https://github.com/hroncok/3dprinter-udev-rules/blob/master/66-3dprinter.rules but we are not sure if we have enough data to ship it.

Comment 2 Doncho Gunchev 2016-08-27 12:52:49 UTC
I checked checked the 'uaccess' tag - it is good for desktop users.

The problem is that you can not have cura, CuraEngine, plater, printrun, etc..., etc... without this package. CuraEngine is command line application, not a desktop one.

What was the problem with a prompt "Do you want to be added to group 'dialout' to access..." (no idea what the text was exactly", clicking yes, entering a password and logout/login?

Anyways, the current solution scares me, how secure will the next RHEL be? My BusPirate udev file is:
--- cut ---
# Rules for BusPirate
SUBSYSTEM!="usb", ACTION!="add", GOTO="buspirate_end"

ATTRS{idVendor}=="0403", ATTRS{idProduct}=="6001", MODE="0660", GROUP="dgunchev", KERNEL=="ttyUSB*", SYMLINK+="BusPirate%n"
ATTRS{idVendor}=="0403", ATTRS{idProduct}=="6001", ENV{ID_MM_DEVICE_IGNORE}="1"

LABEL="buspirate_end"
--- cut ---
however, I updated to Fedora 24 and now everyone can control it. Other devices that got world exposed are my OBD adapter and my phone.

I was thinking what about two packages both providing '3dprinter-udev-rules' (serial-port-user-access to be more precise, ttyUSB* and ttyACM* is 3d printers, scanners, cutters, arduinos, OBD dongles, modems, phones...) but conflicting with each other allowing for two approaches - desktop and server, but have no idea how to install one of the above by default and so on. Maybe with alternatives? Or just another 'secure-3dprinter-udev-rules' that adopts the fedora 22's approach?

Comment 3 Miro Hrončok 2016-08-27 13:20:43 UTC
(In reply to Doncho N. Gunchev from comment #2)
> I checked checked the 'uaccess' tag - it is good for desktop users.
> 
> The problem is that you can not have cura, CuraEngine, plater, printrun,
> etc..., etc... without this package. CuraEngine is command line application,
> not a desktop one.

You should be able to have CuraEngine just fine without this package.

> What was the problem with a prompt "Do you want to be added to group
> 'dialout' to access..." (no idea what the text was exactly", clicking yes,
> entering a password and logout/login?

That it would have to be patch-added to all the apps? If you implement it in all the apps, we can drop this package.

    $ dnf repoquery --whatrequires 3dprinter-udev-rules --releasever 24
    RepetierHost-0:0.90D-7.fc24.noarch
    cura-0:15.04.4-3.fc24.noarch
    cura-lulzbot-0:19.12-1.fc24.noarch
    pronsole-0:2015.03.10-4.fc24.noarch
    pronterface-0:2015.03.10-4.fc24.noarch
    repsnapper-0:2.3.2-0.10.a5.fc24.x86_64

> Anyways, the current solution scares me, how secure will the next RHEL be?

Well, this is not intended to be in RHEL, so the question is irrelevant.

> My BusPirate udev file is:
> --- cut ---
> # Rules for BusPirate
> SUBSYSTEM!="usb", ACTION!="add", GOTO="buspirate_end"
> 
> ATTRS{idVendor}=="0403", ATTRS{idProduct}=="6001", MODE="0660",
> GROUP="dgunchev", KERNEL=="ttyUSB*", SYMLINK+="BusPirate%n"
> ATTRS{idVendor}=="0403", ATTRS{idProduct}=="6001",
> ENV{ID_MM_DEVICE_IGNORE}="1"
> 
> LABEL="buspirate_end"
> --- cut ---
> however, I updated to Fedora 24 and now everyone can control it. Other
> devices that got world exposed are my OBD adapter and my phone.

I see.

> I was thinking what about two packages both providing '3dprinter-udev-rules'
> (serial-port-user-access to be more precise, ttyUSB* and ttyACM* is 3d
> printers, scanners, cutters, arduinos, OBD dongles, modems, phones...) but
> conflicting with each other allowing for two approaches - desktop and
> server, but have no idea how to install one of the above by default and so
> on. Maybe with alternatives? Or just another 'secure-3dprinter-udev-rules'
> that adopts the fedora 22's approach?

We can make the package different on Workstation and Server. But I'm not sure if it's worth it.
Someone will say its insecure on Workstation.

I think we should release new version of this package based on https://github.com/hroncok/3dprinter-udev-rules/blob/master/66-3dprinter.rules

Would that solve the problem for you?

(BTW I will be gone for next couple of days, but will continue to work on this later on...)

Comment 4 Fedora Update System 2016-09-08 11:35:50 UTC
3dprinter-udev-rules-0.2-1.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-a9a3b1c70a

Comment 5 Fedora Update System 2016-09-08 11:36:44 UTC
3dprinter-udev-rules-0.2-1.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-5b761a2cd2

Comment 6 Fedora Update System 2016-09-08 11:37:10 UTC
3dprinter-udev-rules-0.2-1.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-c8925abeb6

Comment 7 Fedora Update System 2016-09-08 11:56:53 UTC
3dprinter-udev-rules-0.2-1.fc23.1 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-88015ac54d

Comment 8 Fedora Update System 2016-09-09 06:25:03 UTC
3dprinter-udev-rules-0.2-1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-a9a3b1c70a

Comment 9 Fedora Update System 2016-09-09 17:57:12 UTC
3dprinter-udev-rules-0.2-1.fc23.1 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-88015ac54d

Comment 10 Fedora Update System 2016-09-12 13:17:58 UTC
3dprinter-udev-rules-0.2-1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2016-09-12 15:27:53 UTC
3dprinter-udev-rules-0.2-1.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-5b761a2cd2

Comment 12 Fedora Update System 2016-09-17 19:19:16 UTC
3dprinter-udev-rules-0.2-1.fc23.1 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 13 Fedora Update System 2016-09-22 00:25:11 UTC
3dprinter-udev-rules-0.2-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 14 Doncho Gunchev 2016-10-11 15:33:22 UTC
Thank you very much!

Sorry I could not check earlier, had to go to a country with censored Internet...