http://bugzilla.opensuse.org/show_bug.cgi?id=1202160 Bug ID: 1202160 Summary: AUDIT-FIND: libiio-usb-udev-rules: insecure permissions Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: wolfgang.frisch@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- During a routine audit of udev scripts in openSUSE Factory, it was noticed that libiio-usb-udev-rules grants world-writable permissions: ``` SUBSYSTEM=="usb", PROGRAM=="/bin/sh -c '/usr/bin/iio_info -S usb=%s{idVendor}:%s{idProduct} | grep %s{idVendor}:%s{idProduct}'", RESULT!="", MODE="666" ``` This means unprivileged users have unrestricted read/write access to any IIO USB device or any device deemed by `iio_info` to be an IIO device. While this is not a security vulnerability per se, yet, hardening measures are warranted. It would be preferable to restrict access to a group, e.g.: MODE="660", GROUP="plugdev", or at least MODE="0664", GROUP="plugdev". What do you think? For reference, we already have udev rules with stricter permissions: ``` i+ | rtl-sdr-udev | Udev rules for RTL2832 | package i+ | uhd-udev | UHD udev rules | package ``` -- You are receiving this mail because: You are on the CC list for the bug.