Le 11 février 2017 11:46:14 GMT+01:00, Alec Leamas <leamas.a...@gmail.com> a écrit : > > >On 11/02/17 10:29, Bastien Roucaries wrote: >> Le 10 février 2017 16:13:15 GMT+01:00, Alec Leamas ><leamas.a...@gmail.com> a écrit : >>> Dear list, >[cut] >>> Proposed /dev/ permissions after installing lirc: >>> >>> - The /dev/lirc? devices are set user:group lirc:lirc and mode 660 >>> (udev rule). >>> - The lirc user is added to the input group, to access /dev/input >>> devices. >>> - The lirc user is added to the dialout group to access /dev/ttyS >>> devices. >>> - The /var/lock dir is root:root 755 in my stretch box but this is >>> seemingly #813703; assuming this will be fixed to 1777. >>> - lirc user gets read access to all USB character devices using a >udev >>> rule invoking facl(1). >>> >>> I know that getting permission is harder than to be forgiven, but >>> perhaps it makes sense to have a discussion first? >>> >>> The possibly controversial issue is the USB devices. However, >without >>> this rule a large part of lirc users will be forced to painful udev >>> rules configuration >> >> >> Can we list USB device needed (whitelist) ? > >I don't think so. The number of devices used by lircd is large, and the > >USB ids are not always well-defined...
> >It might be possible to whitelist "most" devices, leaving it up to >users >of "uncommon" devices to fix it on their own. More work for both >package >maintainers and users, although more safe... > >Personally I don't think read access to character devices should be >that >sensitive. The most obvious concern are hardware login dongles. Of >those, most seems to be mass storage devices; these are *not* covered >by >the udev rule. Neither is yubikey devices. Last time braille stuff break (brick) a FPGA device with a jtag adaptator (serial to jtag). So i really dislike package that bind to all char device. Btw if you do this you need a break on braille stuff... Could we have both ? A whitelist of well know device ans a package (suggested) lirc-usb that catch all... If you need lirc-usb please film a bug ? Thanks Bastien >Also, whatever risks there are we are already taking them when running >lircd as root. > > >--alec -- Envoyé de mon appareil Android avec K-9 Mail. Veuillez excuser ma brièveté.