Description of problem: With file mode of 666 any user (even nobody) can write to a character device (say SeLinux is permissive/disabled). I was quite surprised Fedora took such insecure path after upgrading from 22 to 24. The dialout (or any other group) with mode 660 looks way better. Version-Release number of selected component (if applicable): any How reproducible: always Steps to Reproduce: 1. Install/upgrade to Fedora 24 Actual results: /dev/ttyUSB* and /dev/ttyACM* have file mode 0666. Expected results: /dev/ttyUSB* and /dev/ttyACM* have file mode 0660 and special group. Additional info: Removing the package also removes cura, plater, etc... One has to either override or edit /usr/lib/udev/rules.d/66-3dprinter.rules.
You say this is insecure when you install Fedora? It is designed to be "insecure" once you have that package. If you have a proper fix for this in mind, please suggest. The reason for this package was that the users will not have to add themselves to the dialout group. Also, how dangerous this exactly is? I have no idea, so if you provide an example of an actual damage that could be done, I might reconsider this approach and go back to how it was before. There is new approach being designed at https://github.com/hroncok/3dprinter-udev-rules/blob/master/66-3dprinter.rules but we are not sure if we have enough data to ship it.
I checked checked the 'uaccess' tag - it is good for desktop users. The problem is that you can not have cura, CuraEngine, plater, printrun, etc..., etc... without this package. CuraEngine is command line application, not a desktop one. What was the problem with a prompt "Do you want to be added to group 'dialout' to access..." (no idea what the text was exactly", clicking yes, entering a password and logout/login? Anyways, the current solution scares me, how secure will the next RHEL be? My BusPirate udev file is: --- cut --- # Rules for BusPirate SUBSYSTEM!="usb", ACTION!="add", GOTO="buspirate_end" ATTRS{idVendor}=="0403", ATTRS{idProduct}=="6001", MODE="0660", GROUP="dgunchev", KERNEL=="ttyUSB*", SYMLINK+="BusPirate%n" ATTRS{idVendor}=="0403", ATTRS{idProduct}=="6001", ENV{ID_MM_DEVICE_IGNORE}="1" LABEL="buspirate_end" --- cut --- however, I updated to Fedora 24 and now everyone can control it. Other devices that got world exposed are my OBD adapter and my phone. I was thinking what about two packages both providing '3dprinter-udev-rules' (serial-port-user-access to be more precise, ttyUSB* and ttyACM* is 3d printers, scanners, cutters, arduinos, OBD dongles, modems, phones...) but conflicting with each other allowing for two approaches - desktop and server, but have no idea how to install one of the above by default and so on. Maybe with alternatives? Or just another 'secure-3dprinter-udev-rules' that adopts the fedora 22's approach?
(In reply to Doncho N. Gunchev from comment #2) > I checked checked the 'uaccess' tag - it is good for desktop users. > > The problem is that you can not have cura, CuraEngine, plater, printrun, > etc..., etc... without this package. CuraEngine is command line application, > not a desktop one. You should be able to have CuraEngine just fine without this package. > What was the problem with a prompt "Do you want to be added to group > 'dialout' to access..." (no idea what the text was exactly", clicking yes, > entering a password and logout/login? That it would have to be patch-added to all the apps? If you implement it in all the apps, we can drop this package. $ dnf repoquery --whatrequires 3dprinter-udev-rules --releasever 24 RepetierHost-0:0.90D-7.fc24.noarch cura-0:15.04.4-3.fc24.noarch cura-lulzbot-0:19.12-1.fc24.noarch pronsole-0:2015.03.10-4.fc24.noarch pronterface-0:2015.03.10-4.fc24.noarch repsnapper-0:2.3.2-0.10.a5.fc24.x86_64 > Anyways, the current solution scares me, how secure will the next RHEL be? Well, this is not intended to be in RHEL, so the question is irrelevant. > My BusPirate udev file is: > --- cut --- > # Rules for BusPirate > SUBSYSTEM!="usb", ACTION!="add", GOTO="buspirate_end" > > ATTRS{idVendor}=="0403", ATTRS{idProduct}=="6001", MODE="0660", > GROUP="dgunchev", KERNEL=="ttyUSB*", SYMLINK+="BusPirate%n" > ATTRS{idVendor}=="0403", ATTRS{idProduct}=="6001", > ENV{ID_MM_DEVICE_IGNORE}="1" > > LABEL="buspirate_end" > --- cut --- > however, I updated to Fedora 24 and now everyone can control it. Other > devices that got world exposed are my OBD adapter and my phone. I see. > I was thinking what about two packages both providing '3dprinter-udev-rules' > (serial-port-user-access to be more precise, ttyUSB* and ttyACM* is 3d > printers, scanners, cutters, arduinos, OBD dongles, modems, phones...) but > conflicting with each other allowing for two approaches - desktop and > server, but have no idea how to install one of the above by default and so > on. Maybe with alternatives? Or just another 'secure-3dprinter-udev-rules' > that adopts the fedora 22's approach? We can make the package different on Workstation and Server. But I'm not sure if it's worth it. Someone will say its insecure on Workstation. I think we should release new version of this package based on https://github.com/hroncok/3dprinter-udev-rules/blob/master/66-3dprinter.rules Would that solve the problem for you? (BTW I will be gone for next couple of days, but will continue to work on this later on...)
3dprinter-udev-rules-0.2-1.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-a9a3b1c70a
3dprinter-udev-rules-0.2-1.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-5b761a2cd2
3dprinter-udev-rules-0.2-1.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-c8925abeb6
3dprinter-udev-rules-0.2-1.fc23.1 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-88015ac54d
3dprinter-udev-rules-0.2-1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-a9a3b1c70a
3dprinter-udev-rules-0.2-1.fc23.1 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-88015ac54d
3dprinter-udev-rules-0.2-1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
3dprinter-udev-rules-0.2-1.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-5b761a2cd2
3dprinter-udev-rules-0.2-1.fc23.1 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
3dprinter-udev-rules-0.2-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Thank you very much! Sorry I could not check earlier, had to go to a country with censored Internet...