Bug ID 1202160
Summary AUDIT-FIND: libiio-usb-udev-rules: insecure permissions
Classification openSUSE
Product openSUSE Tumbleweed
Version Current
Hardware Other
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component Security
Assignee security-team@suse.de
Reporter wolfgang.frisch@suse.com
QA Contact qa-bugs@suse.de
Found By ---
Blocker --- 

During a routine audit of udev scripts in openSUSE Factory, it was noticed that
libiio-usb-udev-rules grants world-writable permissions:

```
SUBSYSTEM=="usb", PROGRAM=="/bin/sh -c '/usr/bin/iio_info -S
usb=%s{idVendor}:%s{idProduct} | grep %s{idVendor}:%s{idProduct}'", RESULT!="",
MODE="666"
```

This means unprivileged users have unrestricted read/write access to any IIO
USB device or any device deemed by `iio_info` to be an IIO device.

While this is not a security vulnerability per se, yet, hardening measures are
warranted. It would be preferable to restrict access to a group, e.g.:
MODE="660", GROUP="plugdev", or at least MODE="0664", GROUP="plugdev".

What do you think?

For reference, we already have udev rules with stricter permissions:
```
i+ | rtl-sdr-udev | Udev rules for RTL2832 | package
i+ | uhd-udev | UHD udev rules | package
```

You are receiving this mail because: