Bug 408111 - Suggested additions to hal access control policy
Suggested additions to hal access control policy
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: hal (Show other bugs)
8
All Linux
low Severity low
: ---
: ---
Assigned To: David Zeuthen
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-12-02 17:27 EST by Philippe Troin
Modified: 2013-03-05 22:53 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-01-09 00:24:07 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
FDI file to enable all the above. (2.49 KB, text/plain)
2007-12-02 17:29 EST, Philippe Troin
no flags Details
PolicyKit policy file to implement the suggestions. (1.53 KB, text/plain)
2007-12-02 17:30 EST, Philippe Troin
no flags Details

  None (edit)
Description Philippe Troin 2007-12-02 17:27:38 EST
Version-Release number of selected component (if applicable):
hal-0.5.10-1.fc8

The permissions for the following devices are not set for the user logged in at
the console:

 - USB removable devices (/dev/sdX and /dev/sdXN) are not read-writable
   There is a legitimate need for the logged in user to have access to these
nodes (eg. for repartitionning).

 - The Palm Pilot devices (typ. /dev/ttyUSB*) are not set to be writable by the
user.

 - It would be nice to differentiate between different USB storage devices.
   If you plug in a multifunction card reader, you may end up with four extra
devices that all look the same in Nautilus.

  - Using Firewire cameras with dvgrab requires access to /dev/fw0 as well as
the /dev/fwN of the camera itself.  Currently only /dev/fwN is set read-write
for the logged in user.

Phil.
Comment 1 Philippe Troin 2007-12-02 17:29:06 EST
Created attachment 275151 [details]
FDI file to enable all the above.

This FDI files set the properties required to implement these suggestions.
Comment 2 Philippe Troin 2007-12-02 17:30:09 EST
Created attachment 275161 [details]
PolicyKit policy file to implement the suggestions.
Comment 3 Philippe Troin 2007-12-02 17:31:31 EST
To implement these suggestions, drop the attachments at these locations:
/usr/share/hal/fdi/policy/10osvendor/19local.fdi
/usr/share/PolicyKit/policy/local.policy

Phil.
Comment 4 David Zeuthen 2007-12-03 11:24:07 EST
Adding krh as he wrote the Firewire stack

>   - Using Firewire cameras with dvgrab requires access to /dev/fw0 as 
>     well as the /dev/fwN of the camera itself.  Currently only /dev/fwN is
>     set read-write for the logged in user.

What is /dev/fw0? Is that the card? What are the (security) implications of
giving access to this node? One express purpose of the new Firewire stack, IIRC,
was that we could grant access on a per-device basis.

Kristian?

Comment 5 Kristian Høgsberg 2007-12-03 11:43:36 EST
/dev/fw0 is the host controller and access to this device file is required for a
couple of streaming functions.  I don't see a problem in allowing access.

Also:

 - USB removable devices (/dev/sdX and /dev/sdXN) are not read-writable
   There is a legitimate need for the logged in user to have access to these
nodes (eg. for repartitionning).

I don't know about this one, but if we're doing it for usb removable storage, we
should do it for firewire too.
Comment 6 David Zeuthen 2007-12-03 11:45:24 EST
Regarding the other suggestions

(In reply to comment #0)
>  - USB removable devices (/dev/sdX and /dev/sdXN) are not read-writable
>    There is a legitimate need for the logged in user to have access to
>    these nodes (eg. for repartitionning).

Disagree. The partitioning utility just needs to be written in a way such that
it uses a privileged helper can does the work. This one is then locked down via
PolicyKit and exports PK actions like "partition", "create-file-system" etc.

It's way too dangerous to give write access, or even read, access to the device
nodes. Just with read access the user can bypass file system security.

So NAK on this one.

>  - The Palm Pilot devices (typ. /dev/ttyUSB*) are not set to be writable by the
> user.

I thought about adding this.. I see that you match on only what hal detects as
PDA's so I guess this is good. 

Maybe we should just allow access to any serial port that is exposed via USB? Or
maybe that's too dangerous.

>  - It would be nice to differentiate between different USB storage devices.
>    If you plug in a multifunction card reader, you may end up with four extra
> devices that all look the same in Nautilus.

This already works; just send patches to this file

http://gitweb.freedesktop.org/?p=hal-info.git;a=blob;hb=HEAD;f=fdi/information/10freedesktop/10-usb-card-readers.fdi

Comment 7 Philippe Troin 2007-12-03 14:51:07 EST
(In reply to comment #6)
>>  - USB removable devices (/dev/sdX and /dev/sdXN) are not read-writable
>>    There is a legitimate need for the logged in user to have access to
>>    these nodes (eg. for repartitionning).
>
> Disagree. The partitioning utility just needs to be written in a way such that
> it uses a privileged helper can does the work. This one is then locked down via
> PolicyKit and exports PK actions like "partition", "create-file-system" etc.
>
> It's way too dangerous to give write access, or even read, access to the device
> nodes. Just with read access the user can bypass file system security.
> 
> So NAK on this one.

I disagree on this NAK.
There is no filesystem security anyways on removable devices.
I can mount the same device on another system and put anything on the device
filesystem.  That's why we're mounting it noexec,nosuid,nodev anyways.
Making the device node not readable/writable by the use only prevents legitimate
operations without increasing security.

>>  - It would be nice to differentiate between different USB storage devices.
>>    If you plug in a multifunction card reader, you may end up with four extra
>> devices that all look the same in Nautilus.
>
> This already works; just send patches to this file
>
>
http://gitweb.freedesktop.org/?p=hal-info.git;a=blob;hb=HEAD;f=fdi/information/10freedesktop/10-usb-card-readers.fdi

I'm confused about your comment.
Yes, it already works.  The problem I was trying to solve is to put distinctive
icons on these devices.  The stock icons that are set in the fdi file I sent are
icons showing the type of card (as opposed to a generic "hard drive' icon).

Phil.
Comment 8 David Zeuthen 2007-12-03 16:01:01 EST
(In reply to comment #7)
> I disagree on this NAK.
> There is no filesystem security anyways on removable devices.
> I can mount the same device on another system and put anything on the device
> filesystem.  That's why we're mounting it noexec,nosuid,nodev anyways.
> Making the device node not readable/writable by the use only prevents legitimate
> operations without increasing security.

Depends on the context. It's not impossible for me to imagine enterprise and
government setups where they would care about this (a guard wouldn't allow you
to move removable media outside a secure facility). Also things like SarBox.

> I'm confused about your comment.
> Yes, it already works.  The problem I was trying to solve is to put distinctive
> icons on these devices.  The stock icons that are set in the fdi file I sent are
> icons showing the type of card (as opposed to a generic "hard drive' icon).

That's just a problem with your icon theme; works fine already for good old
Bluecurve

 http://people.freedesktop.org/~david/themed-icons.png

Unfortunately the problem here is that the Tango and gnome-icon-theme people
just symlinked the class specific icons

$ ls -l /usr/share/icons/Tango/22x22/devices/gnome-dev-media-cf.png
/usr/share/icons/gnome/22x22/devices/gnome-dev-media-cf.png
lrwxrwxrwx 1 root root 15 2007-09-20 10:19
/usr/share/icons/gnome/22x22/devices/gnome-dev-media-cf.png -> media-flash.png
lrwxrwxrwx 1 root root 15 2007-09-10 07:28
/usr/share/icons/Tango/22x22/devices/gnome-dev-media-cf.png -> media-flash.png

because they thought it was too confusing. Sigh. Go figure. However, for Fedora
9 this will hopefully get fixed as we have icon naming fallback.

So how do we move forward? I'm open for taking the ttyUSB and Firewire stuff.
Sounds good?

     David
Comment 9 Philippe Troin 2007-12-03 17:27:57 EST
(In reply to comment #8)
> (In reply to comment #7)
> > I disagree on this NAK.
> > There is no filesystem security anyways on removable devices.
> > I can mount the same device on another system and put anything on the device
> > filesystem.  That's why we're mounting it noexec,nosuid,nodev anyways.
> > Making the device node not readable/writable by the use only prevents legitimate
> > operations without increasing security.
> 
> Depends on the context. It's not impossible for me to imagine enterprise and
> government setups where they would care about this (a guard wouldn't allow you
> to move removable media outside a secure facility). Also things like SarBox.

This scenario looks quite a stretch, but I understand your position.
I agree with your NAK then.

> > I'm confused about your comment.
> > Yes, it already works.  The problem I was trying to solve is to put distinctive
> > icons on these devices.  The stock icons that are set in the fdi file I sent are
> > icons showing the type of card (as opposed to a generic "hard drive' icon).
> 
> That's just a problem with your icon theme; works fine already for good old
> Bluecurve
> 
>  http://people.freedesktop.org/~david/themed-icons.png
> 
> Unfortunately the problem here is that the Tango and gnome-icon-theme people
> just symlinked the class specific icons
> 
> $ ls -l /usr/share/icons/Tango/22x22/devices/gnome-dev-media-cf.png
> /usr/share/icons/gnome/22x22/devices/gnome-dev-media-cf.png
> lrwxrwxrwx 1 root root 15 2007-09-20 10:19
> /usr/share/icons/gnome/22x22/devices/gnome-dev-media-cf.png -> media-flash.png
> lrwxrwxrwx 1 root root 15 2007-09-10 07:28
> /usr/share/icons/Tango/22x22/devices/gnome-dev-media-cf.png -> media-flash.png
> 
> because they thought it was too confusing. Sigh. Go figure. However, for Fedora
> 9 this will hopefully get fixed as we have icon naming fallback.

I'm still confused here.
How can the desktop display the correct icons if HAL returns the wrong icons?
I might be missing something.

> So how do we move forward? I'm open for taking the ttyUSB and Firewire stuff.
> Sounds good?

Ok.

Phil.
Comment 10 David Zeuthen 2007-12-03 17:39:10 EST
(In reply to comment #9)
> > Depends on the context. It's not impossible for me to imagine enterprise and
> > government setups where they would care about this (a guard wouldn't allow you
> > to move removable media outside a secure facility). Also things like SarBox.
> 
> This scenario looks quite a stretch, but I understand your position.
> I agree with your NAK then.

It's a huge stretch, yeah. It's also about being secure out of the box. I can
imagine tons of admins who would be caught by surprise. Including those running
a Fedora box off a USB storage device. Besides, gpart is here and it works. And
in the future we'll have better tools for partitioning and disk setup.

> I'm still confused here.
> How can the desktop display the correct icons if HAL returns the wrong icons?
> I might be missing something.

HAL doesn't return icon names at all. The desktop UI figures out the name by
itself by inspecting the drive and media type. 

The ability for hal to return icon names is just only a hint to the desktop.
Also, if that property is used the icon name needs to be a lot more generic so
KDE and other desktops can theme it too. It's really just meant for storage
devices that are not common; e.g. phones, mp3 players and so forth.

> > So how do we move forward? I'm open for taking the ttyUSB and Firewire stuff.
> > Sounds good?
> 
> Ok.

I'll look into merging this. I'll keep the bug open until then.
Comment 11 Philippe Troin 2007-12-04 17:09:52 EST
(In reply to comment #10)
> (In reply to comment #9)
> > > Depends on the context. It's not impossible for me to imagine enterprise and
> > > government setups where they would care about this (a guard wouldn't allow you
> > > to move removable media outside a secure facility). Also things like SarBox.
> > 
> > This scenario looks quite a stretch, but I understand your position.
> > I agree with your NAK then.
> 
> It's a huge stretch, yeah. It's also about being secure out of the box. I can
> imagine tons of admins who would be caught by surprise. Including those running
> a Fedora box off a USB storage device. Besides, gpart is here and it works. And
> in the future we'll have better tools for partitioning and disk setup.

I'd agree that the case of running Fedora from a USB storage device is much more
compelling :)

> > I'm still confused here.
> > How can the desktop display the correct icons if HAL returns the wrong icons?
> > I might be missing something.
> 
> HAL doesn't return icon names at all. The desktop UI figures out the name by
> itself by inspecting the drive and media type. 
> 
> The ability for hal to return icon names is just only a hint to the desktop.
> Also, if that property is used the icon name needs to be a lot more generic so
> KDE and other desktops can theme it too. It's really just meant for storage
> devices that are not common; e.g. phones, mp3 players and so forth.

Ok.  I'll keep my local modifications then...

> > > So how do we move forward? I'm open for taking the ttyUSB and Firewire stuff.
> > > Sounds good?
> > 
> > Ok.
> 
> I'll look into merging this. I'll keep the bug open until then.

Ok.
I'll be looking for an updated package in the future...

Phil.

Comment 12 Bug Zapper 2008-11-26 03:47:36 EST
This message is a reminder that Fedora 8 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 8.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '8'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 8's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 8 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 13 Bug Zapper 2009-01-09 00:24:07 EST
Fedora 8 changed to end-of-life (EOL) status on 2009-01-07. Fedora 8 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.