[opensuse-security] udev rules; use of uucp group for devices
Hi, I had asked this question over at the [opensuse] mailing list on 09/14/2008 12:46 AM and got the recommendation to ask the security people about this issue. So here I am. I want to use a USB device which comes up as /dev/ttyUSB0 with the user:group = root:uucp. Now my question is how is the intended use of this device for a normal user? When I look at my user information with the id command I get: uid=1000(linux) gid=100(users) groups=16(dialout),33(video),100(users) I am hesitant to add my user to the uucp group, as I am not sure whether that is the intended use of the group. I know there are some user/groups on Linux only intended for some software and not for real user accounts. I tried to overwrite the udev rule and make the ttyUSB0 device belong to the dialout group, as my user belongs to it, but was not successful with that. Could someone please explain the intended use of the uucp group in connection with hardware devices and how users are intended to access the hardware? Thanks for your help. Cheers, Guenter -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Günter Dannoritzer wrote:
I am hesitant to add my user to the uucp group, as I am not sure whether that is the intended use of the group. I know there are some user/groups on Linux only intended for some software and not for real user accounts.
Your intuition is right. The uucp group is meant for use by the uucp system only. Adding normal users to that group is dangerous and could have unexpected side effects. Up to 11.0 you can tell resmgr to grant certain users access to specific devices instead, see http://forgeftp.novell.com/resmgr/web/#id2830544 cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
OK, I'll bite... My understanding is that the UUCP system was already well and truly obsolete about ten years ago. So why is an out-of-the-box SuSE system set up so that only UUCP can access these devices? I'm probably missing something, so feel free to shoot me down in flames. Bob On Fri, 26 Sep 2008, Ludwig Nussel wrote:
Günter Dannoritzer wrote:
I am hesitant to add my user to the uucp group, as I am not sure whether that is the intended use of the group. I know there are some user/groups on Linux only intended for some software and not for real user accounts.
Your intuition is right. The uucp group is meant for use by the uucp system only. Adding normal users to that group is dangerous and could have unexpected side effects.
Up to 11.0 you can tell resmgr to grant certain users access to specific devices instead, see http://forgeftp.novell.com/resmgr/web/#id2830544
cu Ludwig
-- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
-- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
<<
Email has been scanned for viruses by Altman Technologies' email management service - www.altman.co.uk/emailsystems
============================================================== Bob Vickers R.Vickers@cs.rhul.ac.uk Dept of Computer Science, Royal Holloway, University of London WWW: http://www.cs.rhul.ac.uk/home/bobv Phone: +44 1784 443691
Bob Vickers wrote:
My understanding is that the UUCP system was already well and truly obsolete about ten years ago. So why is an out-of-the-box SuSE system set up so that only UUCP can access these devices?
No idea whether and how many people still use uucp. There isn't much set up for uucp by default except that there is a uucp group that has access permissions on serial ports and /var/lock. As long as you do not actually use uucp it doesn't make any difference whether the group of those things is uucp or root. Presence of the uucp group has the drawback that it sometimes makes people believe that adding users to that group is the preferred way to get access to serial ports though. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Friday 2008-09-26 at 11:57 +0200, Ludwig Nussel wrote:
Presence of the uucp group has the drawback that it sometimes makes people believe that adding users to that group is the preferred way to get access to serial ports though.
Indeed! I see I added myself years ago. I'll have to review why, and remove it. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkjcwN0ACgkQtTMYHG2NR9WOZwCeJLOjTIESn6Q4NQo+qk8SF+xr VjwAnRZgEAyWaZlxk6NOkHEhL3z2kpNG =mofh -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Ludwig Nussel wrote: ...
Up to 11.0 you can tell resmgr to grant certain users access to specific devices instead, see http://forgeftp.novell.com/resmgr/web/#id2830544
Thanks for the information. I tried the example given under the above link, by adding: allow modem user=linux to a new file under /etc/resmgr.conf.d Did a restart of the resourcemanager and also see that I am now member of the modem group.
/sbin/resmgr classes modem ...
Now that still does not allow me to access the /dev/ttyUSB0. I looked in the files under /etc/hal/fid/policy/ and found: <!-- serial devices --> <match key="info.category" string="serial"> <match key="serial.device" exists="true"> <merge key="resmgr.device" type="copy_property">serial.device</merge> <merge key="resmgr.class" type="string">modem</merge> </match> </match> How do I know what class my ttyUSB0 device runs under? It is a FTDI 245 USB chip that runs with the kernel module ftdi_sio, an usbserial driver. BTW, you said that up to 11.0 the resmgr is taking care of resources. What takes care of them with 11.1? Cheers, Guenter -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Günter Dannoritzer wrote:
Ludwig Nussel wrote:
Up to 11.0 you can tell resmgr to grant certain users access to specific devices instead, see http://forgeftp.novell.com/resmgr/web/#id2830544
Thanks for the information. I tried the example given under the above link, by adding:
allow modem user=linux
to a new file under /etc/resmgr.conf.d
Did a restart of the resourcemanager and also see that I am now member of the modem group.
/sbin/resmgr classes modem ...
You also need to unplug the device and plug it in again to generate an event that sets the ACL.
Now that still does not allow me to access the /dev/ttyUSB0. I looked in the files under /etc/hal/fid/policy/ and found:
<!-- serial devices --> <match key="info.category" string="serial"> <match key="serial.device" exists="true"> <merge key="resmgr.device" type="copy_property">serial.device</merge> <merge key="resmgr.class" type="string">modem</merge> </match> </match>
How do I know what class my ttyUSB0 device runs under?
lshal
It is a FTDI 245 USB chip that runs with the kernel module ftdi_sio, an usbserial driver.
You can also match for usb vendor/product id. See the same web page a few paragraphs up.
BTW, you said that up to 11.0 the resmgr is taking care of resources. What takes care of them with 11.1?
ConsoleKit/PolicyKit/hal cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Ludwig Nussel wrote:
Günter Dannoritzer wrote: ...
You also need to unplug the device and plug it in again to generate an event that sets the ACL.
Thanks, I got it to work now. You taught me a lot new with the resource manager. Thanks again. Guenter -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Content-ID: <alpine.LSU.2.00.0810012359180.26326@nimrodel.valinor> On Friday 2008-09-26 at 14:45 +0200, Ludwig Nussel wrote:
Günter Dannoritzer wrote:
Ludwig Nussel wrote:
Up to 11.0 you can tell resmgr to grant certain users access to specific devices instead, see http://forgeftp.novell.com/resmgr/web/#id2830544
You can also match for usb vendor/product id. See the same web page a few paragraphs up.
BTW, you said that up to 11.0 the resmgr is taking care of resources. What takes care of them with 11.1?
ConsoleKit/PolicyKit/hal
This is way to complicated; it is not practical :-( Yesterday, a user on the Spanish list was also asking how to access a device on ttyUSB0. I pointed him to these instructions. He says this is too complicated for him, so instead he will just run the program as root, via sudo. As running as root may be even more dangerous and inconvenient (downloaded files will belong to root), I told him to add himself to group uucp: groupmod --add-user USUARIO uucp Unfortunately I think I will keep using that method myself till somebody invents a really easy method. You could perhaps modify your side and use another sensible group instead of 'uucp' for devices. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkjj9TwACgkQtTMYHG2NR9UggACfWRh9JGmZKHrT/FBVEIBB225q CbkAnjcBYsW3hMSHNrlD1yY8N0apBRWp =ps47 -----END PGP SIGNATURE-----
Carlos E. R. wrote:
Content-ID: <alpine.LSU.2.00.0810012359180.26326@nimrodel.valinor>
On Friday 2008-09-26 at 14:45 +0200, Ludwig Nussel wrote:
Günter Dannoritzer wrote:
Ludwig Nussel wrote:
Up to 11.0 you can tell resmgr to grant certain users access to specific devices instead, see http://forgeftp.novell.com/resmgr/web/#id2830544
You can also match for usb vendor/product id. See the same web page a few paragraphs up.
BTW, you said that up to 11.0 the resmgr is taking care of resources. What takes care of them with 11.1?
ConsoleKit/PolicyKit/hal
This is way to complicated; it is not practical :-(
Yesterday, a user on the Spanish list was also asking how to access a device on ttyUSB0. I pointed him to these instructions. He says this is too complicated for him, so instead he will just run the program as root, via sudo.
As running as root may be even more dangerous and inconvenient (downloaded files will belong to root), I told him to add himself to group uucp:
groupmod --add-user USUARIO uucp
Huh? Why is that less complicated than # echo allow modem user=usario > /etc/resmgr.conf.d/50-modem.conf cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday 2008-10-02 at 09:05 +0200, Ludwig Nussel wrote:
groupmod --add-user USUARIO uucp
Huh? Why is that less complicated than # echo allow modem user=usario > /etc/resmgr.conf.d/50-modem.conf
As I'm not the user that posted the problem and said it was too difficult for him, I don't know. :-) Perhaps because it is not a modem, he has an HP calculator. I will try myself with another device I have. [...] Ok, yes, you are right, I was able to connet to my Nokia phone. Actually, I'm double happy because it has been a year since I could connect... I wiped the contacts of the plug with a screwdriver (being no-name means not gold plated). It was a hardare problem, not software! I'll insist on this user to try your trick. Thankyou! - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkjkidYACgkQtTMYHG2NR9X4QgCgjKbsnCy37JIUOqI0C6ZdIGH2 LzgAn3dgySqse81yZXx4vtQwei4A2CXu =/xJY -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Carlos E. R. wrote:
On Thursday 2008-10-02 at 09:05 +0200, Ludwig Nussel wrote:
groupmod --add-user USUARIO uucp Huh? Why is that less complicated than # echo allow modem user=usario > /etc/resmgr.conf.d/50-modem.conf
A nit, but it might be better to use >> instead of > in case there are already entries in the .conf file, so you don't wipe them out. ... -- Dan Goodman -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday 2008-10-02 at 10:44 +0200, Carlos E. R. wrote:
I'll insist on this user to try your trick.
He confirms it worked. Maybe it is the article what scared us :-) - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkjlHR4ACgkQtTMYHG2NR9V0OACfUaNr2pHDCphdceX1mu14dD9F k0IAnRGFYXHfslIIPRL/2Aa4D2IvKQfX =F2ge -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Ludwig Nussel wrote: ...
Up to 11.0 you can tell resmgr to grant certain users access to specific devices instead, see http://forgeftp.novell.com/resmgr/web/#id2830544
I just read that someone with debian got access rigth to ttyUSB* by being member of the dialout group. Now my user also is member of the dialout group and I wonder whether it would not make sense then to add the 'modem' class in the resource manager to that user as well? What is the reason for this split of not having the user be part of the 'modem' class in the resource manager, but part of the dialout group? Cheers, Guenter -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Günter Dannoritzer wrote:
Ludwig Nussel wrote:
Up to 11.0 you can tell resmgr to grant certain users access to specific devices instead, see http://forgeftp.novell.com/resmgr/web/#id2830544
I just read that someone with debian got access rigth to ttyUSB* by being member of the dialout group.
Now my user also is member of the dialout group and I wonder whether it would not make sense then to add the 'modem' class in the resource manager to that user as well?
What is the reason for this split of not having the user be part of the 'modem' class in the resource manager, but part of the dialout group?
Being member of the dialout group merely gives you permissions to trigger or stop dialin connections (via smpppd or isdnctrl) without any way to influence 'dangerous' parameters such as phone number. As member of the modem class in resmgr you will be able to issue arbitrary AT commands to serial modems or mobile phones though. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Ludwig Nussel wrote:
Being member of the dialout group merely gives you permissions to trigger or stop dialin connections (via smpppd or isdnctrl) without any way to influence 'dangerous' parameters such as phone number. As member of the modem class in resmgr you will be able to issue arbitrary AT commands to serial modems or mobile phones though.
Thanks for explaining that, I see the difference now. Guenter -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
participants (6)
-
Bob Vickers -
Carlos E. R. -
Carlos E. R. -
Dan Goodman -
Günter Dannoritzer -
Ludwig Nussel