[Bug 1173750] New: usbguard daemon segfaults - fixed upstream in version 0.7.8
http://bugzilla.opensuse.org/show_bug.cgi?id=1173750 Bug ID: 1173750 Summary: usbguard daemon segfaults - fixed upstream in version 0.7.8 Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.2 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: Mathias.Homann@opensuse.org QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- the package usbguard as included in 15.2 is broken, the daemon segfaults on start as soon as the rules.d folder is used. This has been fixed upstream in version 0.7.8, which is already packaged on obs in https://build.opensuse.org/package/show/hardware/usbguard Please provide this version as update ASAP. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1173750 http://bugzilla.opensuse.org/show_bug.cgi?id=1173750#c1 --- Comment #1 from Mathias Homann <Mathias.Homann@opensuse.org> --- (In reply to Mathias Homann from comment #0)
the package usbguard as included in 15.2 is broken, the daemon segfaults on start as soon as the rules.d folder is used.
This has been fixed upstream in version 0.7.8, which is already packaged on obs in https://build.opensuse.org/package/show/hardware/usbguard
Please provide this version as update ASAP.
actually, I tried the 0.7.8 package from OBS and it crashes as well... but when you manually start the daemon with the command from the .service file it works? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1173750 http://bugzilla.opensuse.org/show_bug.cgi?id=1173750#c4 --- Comment #4 from Mathias Homann <Mathias.Homann@opensuse.org> --- hm. I'm comparing usbguard.service from 15.1 (where it worked fine) to usbguard.service from 15.2 (where it crashes when started from systemd, but works fine when started manually in a shell), and I'm seeing massive differences between the two files. I don't know enough systemd to understand what I see, though. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1173750 http://bugzilla.opensuse.org/show_bug.cgi?id=1173750#c5 --- Comment #5 from Mathias Homann <Mathias.Homann@opensuse.org> --- ...replaced usbguard.service from 15.2 with the same file from 15.1, and usbguard-daemon starts fine from systemd. So one of the many new settings in that file is to blame. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1173750 http://bugzilla.opensuse.org/show_bug.cgi?id=1173750#c6 --- Comment #6 from Mathias Homann <Mathias.Homann@opensuse.org> --- tLooks as if the .service file is what comes with the usbguard sources. Filed a bugreport upstream. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1173750 http://bugzilla.opensuse.org/show_bug.cgi?id=1173750#c8 --- Comment #8 from Mathias Homann <Mathias.Homann@opensuse.org> --- the crash seems to be because of the systemd version used in 15.2... see https://github.com/USBGuard/usbguard/issues/382#issuecomment-654841585 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1173750 http://bugzilla.opensuse.org/show_bug.cgi?id=1173750#c9 --- Comment #9 from Mathias Homann <Mathias.Homann@opensuse.org> --- (In reply to Matthias Gerstner from comment #7)
Do you have some special configuration for usbguard?
nope, I'm actually testing all this kind of stuff inside a VM that has not been touched after installation... -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1173750 http://bugzilla.opensuse.org/show_bug.cgi?id=1173750#c11 --- Comment #11 from Mathias Homann <Mathias.Homann@opensuse.org> --- I would like to see that patched in the usbguard packages for 15.2 and pushed out as an update... -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1173750 http://bugzilla.opensuse.org/show_bug.cgi?id=1173750#c13 --- Comment #13 from Mathias Homann <Mathias.Homann@opensuse.org> --- I just noticed something else: the desktop applet is missing. Acording to the changes file it got removed in the latest revision for 15.2: "- Remove Qt5 build dependencies, Qt applet is a separate package." but ... where IS that separate package? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1173750 http://bugzilla.opensuse.org/show_bug.cgi?id=1173750#c15 --- Comment #15 from Mathias Homann <Mathias.Homann@opensuse.org> --- I totally agree with the points in that github issue. Basically, as it is right now usbguard is (almost) unusable on desktop systems without at least setting up sudo rights to use the usbguard cli interface for every local user... usbguard-notify doesnt exist as a package for openSUSE, and after trying to build and install it I can see why... -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1173750 http://bugzilla.opensuse.org/show_bug.cgi?id=1173750#c16 --- Comment #16 from Mathias Homann <Mathias.Homann@opensuse.org> --- ok, i do have a working package of usbguard-notifier 0.0.6 in home:lemmy04 that can be used with the current usbguard (after editing /usr/lib/systemd/system/usbguard.service). Feel free to grab it. Should I submit it to hardware where usbguard lives? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1173750 http://bugzilla.opensuse.org/show_bug.cgi?id=1173750#c17 --- Comment #17 from Mathias Homann <Mathias.Homann@opensuse.org> --- (In reply to Matthias Gerstner from comment #10)
By removing this line from the .service file you can continue using usbguard at the loss of some security hardening that would otherwise be present on Tumbleweed. Maybe there is some other system call filter group or upstream needs to explicitly list the system calls they want to whitelist for older systemd versions.
I have a patched usbguard 0.7.8 in https://build.opensuse.org/package/show/home:lemmy04:branches:hardware/usbgu... Have a lot of fun! -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1173750 http://bugzilla.opensuse.org/show_bug.cgi?id=1173750#c22 --- Comment #22 from Mathias Homann <Mathias.Homann@opensuse.org> --- what little ui part exists as of now can be seen in home:lemmy04/usbguard-notifier. All you can do with it is get a desktop notification every time you plug or unplug an USB device, which also tells you wether usbguard has allowed or blocked that device. I've submitted the package to hardware - see https://build.opensuse.org/request/show/819900 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1173750 http://bugzilla.opensuse.org/show_bug.cgi?id=1173750#c23 --- Comment #23 from Robert Frohl <rfrohl@suse.com> --- (In reply to Mathias Homann from comment #22)
I've submitted the package to hardware - see https://build.opensuse.org/request/show/819900
I added a comment, that I would be ok with taking maintainership of this. Sadly I can not accept the package to hardware. I will go and look for someone to speed this up a bit. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com