This service will be undergoing maintenance at 00:00 UTC, 2016-09-28. It is expected to last about 1 hours
Bug 560050 - Unsafe udev rules
Unsafe udev rules
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: argyllcms (Show other bugs)
rawhide
All Linux
low Severity high
: ---
: ---
Assigned To: Richard Hughes
Fedora Extras Quality Assurance
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-01-29 13:44 EST by David Zeuthen
Modified: 2013-03-05 23:01 EST (History)
6 users (show)

See Also:
Fixed In Version: argyllcms-1.0.4-5.fc12
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-03-03 19:22:51 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
patch which takes the udev rules frile from my friendly work, hargyllcms (2.77 KB, patch)
2010-02-01 03:59 EST, Richard Hughes
no flags Details | Diff

  None (edit)
Description David Zeuthen 2010-01-29 13:44:27 EST
From /lib/udev/rules.d/55-Argyll.rules which is part of argyllcms-1.0.4-4.fc13.x86_64

 # Enable serial port connected instruments connected on first two ports.
 KERNEL=="ttyS[01]", MODE="666"

 # Enable serial port connected instruments on USB serial converteds connected
 # on  first two ports.
 KERNEL=="ttyUSB[01]", MODE="666"

This gives world-write read/write access to any tty device. Clearly this is unwanted.
Comment 1 David Zeuthen 2010-01-29 13:46:20 EST
Instead, Argyll should use the udev ACL stuff (to ensure we only grant access to active local sessions) and key off USB vendor/product ids (to ensure we don't grant access to any random tty device).
Comment 2 David Zeuthen 2010-01-29 13:54:01 EST
Adding Richard to the Cc as he did this change

* Fri Oct 30 2009 Richard Hughes <rhughes@redhat.com> - 1.0.4-3
- Install the udev rules file so users can get the correct device
  permissions on F12 and above which does not use HAL policy files.
Comment 3 Jon Ciesla 2010-01-29 13:57:00 EST
I think that's a great idea.

I know nothing about udev rules, and have no idea what vendor/product ids we'd use. 

:)

Thoughts?
Comment 4 Richard Hughes 2010-02-01 03:49:09 EST
(In reply to comment #1)
> Instead, Argyll should use the udev ACL stuff (to ensure we only grant access
> to active local sessions) and key off USB vendor/product ids (to ensure we
> don't grant access to any random tty device).    

Agreed, I just took the upstream rules and added them to the Fedora package. Tbh, I don't think we want any of the tty ports changed; if you've got an old and crusty photospectromiter then you should already know how to chmod the device files.

I'll fix this now. At some point we want to switch to 1.0.0 anyway, but I'll do the update for the pre-release now.
Comment 5 Richard Hughes 2010-02-01 03:59:37 EST
Created attachment 387989 [details]
patch which takes the udev rules frile from my friendly work, hargyllcms

I've backported this patch, which adds acl-based access and removes all the tty port logic as it's basically unsafe.
Comment 6 David Zeuthen 2010-02-01 10:51:03 EST
(In reply to comment #4)
> Tbh, I don't think we want any of the tty ports changed; if you've got an old
> and crusty photospectromiter then you should already know how to chmod the
> device files.

Sounds fine to me - we can't reliably autodetect hardware on these ports anyway.
Comment 7 Fedora Update System 2010-02-04 20:46:59 EST
argyllcms-1.0.4-5.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update argyllcms'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-1493
Comment 8 Fedora Update System 2010-03-03 19:22:46 EST
argyllcms-1.0.4-5.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Graeme Gill 2010-03-18 01:27:35 EDT
(In reply to comment #4)

> Agreed, I just took the upstream rules and added them to the Fedora package.
> Tbh, I don't think we want any of the tty ports changed; if you've got an old
> and crusty photospectromiter then you should already know how to chmod the
> device files.

I don't agree - if Linux doesn't have an elegant way of allowing users to
use their tty ports, then one should be added - urgently !

In the mean time, people want to get work done, and really don't
care about theoretical vulnerabilities in tty permissions.

Note You need to log in before you can comment on or make changes to this bug.