[Bug 1202160] New: AUDIT-FIND: libiio-usb-udev-rules: insecure permissions
http://bugzilla.opensuse.org/show_bug.cgi?id=1202160 Bug ID: 1202160 Summary: AUDIT-FIND: libiio-usb-udev-rules: insecure permissions Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: wolfgang.frisch@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- During a routine audit of udev scripts in openSUSE Factory, it was noticed that libiio-usb-udev-rules grants world-writable permissions: ``` SUBSYSTEM=="usb", PROGRAM=="/bin/sh -c '/usr/bin/iio_info -S usb=%s{idVendor}:%s{idProduct} | grep %s{idVendor}:%s{idProduct}'", RESULT!="", MODE="666" ``` This means unprivileged users have unrestricted read/write access to any IIO USB device or any device deemed by `iio_info` to be an IIO device. While this is not a security vulnerability per se, yet, hardening measures are warranted. It would be preferable to restrict access to a group, e.g.: MODE="660", GROUP="plugdev", or at least MODE="0664", GROUP="plugdev". What do you think? For reference, we already have udev rules with stricter permissions: ``` i+ | rtl-sdr-udev | Udev rules for RTL2832 | package i+ | uhd-udev | UHD udev rules | package ``` -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1202160 Wolfgang Frisch <wolfgang.frisch@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|security-team@suse.de |stefan.bruens@rwth-aachen.d | |e QA Contact|qa-bugs@suse.de |security-team@suse.de -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1202160 http://bugzilla.opensuse.org/show_bug.cgi?id=1202160#c1 Wolfgang Frisch <wolfgang.frisch@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |afaerber@suse.com, | |wolfgang.frisch@suse.com Summary|AUDIT-FIND: |AUDIT-FIND: libiio: |libiio-usb-udev-rules: |libiio-usb-udev-rules: |insecure permissions |insecure permissions --- Comment #1 from Wolfgang Frisch <wolfgang.frisch@suse.com> --- Friendly ping! MODE="666" is still present in Factory. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com