[opensuse] chromium, tty & dialout group
I'm trying to run an app in chromium to talk to an external device connected by serial over USB, as /dev/ttyUSB. And I'm failing. I'm handicapped by knowing nothing about chromium and not much about ttys and groups in the modern world. The app says it is trying to contact /dev/ttyUSB0 and then it says it is 'Not Found'. I'm wondering if there is a permissions, or other security, issue? Does chromium prevent apps trying to talk to external devices by default? (and if not why not?!) If I look at the device: $ ls -l /dev/ttyUSB0 crw-rw---- 1 root dialout 188, 0 Dec 8 11:37 /dev/ttyUSB0 it seems like nothing should be able to talk to it unless they are either root or a member of the dialout group. I don't want to give root privileges to this app. I'm running chromium as me, and the only group I am a member of is users. If I look at the list of groups in YaST, there is no dialout group listed. Is there a bug in YaST or am I missing some feature to edit group membership? I added my self to the dialout group using gpasswd. Some online stuff indicates I need to logout and then back in before it will take effect. That seems a fairly draconian thing to have to doo just to use a new group membership. Is there another way? I suppose I could change the group that the tty belongs to, but that seems like too big a bodge. TIA, Dave -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thu, Dec 8, 2016 at 3:55 PM, Dave Howorth <dave@howorth.org.uk> wrote:
I'm wondering if there is a permissions, or other security, issue?
strace is your friend. ...
I added my self to the dialout group using gpasswd. Some online stuff indicates I need to logout and then back in before it will take effect. That seems a fairly draconian thing to have to doo just to use a new group membership. Is there another way?
You could try "newgrp" command.
I suppose I could change the group that the tty belongs to, but that seems like too big a bodge.
What's wrong to do it for testing? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thu, 8 Dec 2016 16:05:11 +0300 Andrei Borzenkov <arvidjaar@gmail.com> wrote:
On Thu, Dec 8, 2016 at 3:55 PM, Dave Howorth <dave@howorth.org.uk> wrote:
I'm wondering if there is a permissions, or other security, issue?
strace is your friend.
Yes. I think the app is open source so I could have a look to see what's happening, but I'm just trying user stuff so far. It seems to me either the app or chromium should have popped a dialog or something to warn the user of a permissions problem. So I think I'll end up suggesting a patch to the app.
I added my self to the dialout group using gpasswd. Some online stuff indicates I need to logout and then back in before it will take effect. That seems a fairly draconian thing to have to doo just to use a new group membership. Is there another way?
You could try "newgrp" command.
Ah-ha! That did the trick; the app is now connecting. Many thanks.
I suppose I could change the group that the tty belongs to, but that seems like too big a bodge.
What's wrong to do it for testing?
Nothing, but I thought I'd ask first and indeed that proved a good plan :) Thanks again, Dave -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Op donderdag 8 december 2016 12:55:34 CET schreef Dave Howorth:
I'm trying to run an app in chromium to talk to an external device connected by serial over USB, as /dev/ttyUSB. And I'm failing.
I'm handicapped by knowing nothing about chromium and not much about ttys and groups in the modern world.
The app says it is trying to contact /dev/ttyUSB0 and then it says it is 'Not Found'.
I'm wondering if there is a permissions, or other security, issue?
Does chromium prevent apps trying to talk to external devices by default? (and if not why not?!)
If I look at the device: $ ls -l /dev/ttyUSB0 crw-rw---- 1 root dialout 188, 0 Dec 8 11:37 /dev/ttyUSB0
it seems like nothing should be able to talk to it unless they are either root or a member of the dialout group. I don't want to give root privileges to this app. I'm running chromium as me, and the only group I am a member of is users. If I look at the list of groups in YaST, there is no dialout group listed.
Is there a bug in YaST or am I missing some feature to edit group membership?
I added my self to the dialout group using gpasswd. Some online stuff indicates I need to logout and then back in before it will take effect. That seems a fairly draconian thing to have to doo just to use a new group membership. Is there another way?
I suppose I could change the group that the tty belongs to, but that seems like too big a bodge.
TIA, Dave ' Are you sure, Dave? grep dial /etc/group
-- Gertjan Lettink, a.k.a. Knurpht openSUSE Board Member openSUSE Forums Team -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thu, 08 Dec 2016 14:29:39 +0100 Knurpht - Gertjan Lettink <knurpht@opensuse.org> wrote:
Are you sure, Dave? grep dial /etc/group
Not quite sure what you're asking. Yes, the dialout group is present in /etc/group. No the dialout group is not listed by YaST. Cheers, Dave PS Andrei has solved my problem with the app by using the command line, but I'd still like to understand why I failed with YaST. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Op donderdag 8 december 2016 14:04:04 CET schreef Dave Howorth:
On Thu, 08 Dec 2016 14:29:39 +0100
Knurpht - Gertjan Lettink <knurpht@opensuse.org> wrote:
Are you sure, Dave? grep dial /etc/group
Not quite sure what you're asking.
Yes, the dialout group is present in /etc/group. No the dialout group is not listed by YaST.
Cheers, Dave
PS Andrei has solved my problem with the app by using the command line, but I'd still like to understand why I failed with YaST.
OK. Here it is: When approached from the user tab, filter "System Users", the dialout group is not listed. When approached from the group tab, filter "System Groups" it is. Tick it, click Edit and check your user in the right column. -- Gertjan Lettink, a.k.a. Knurpht openSUSE Board Member openSUSE Forums Team -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thu, 08 Dec 2016 15:34:42 +0100 Knurpht - Gertjan Lettink <knurpht@opensuse.org> wrote:
Op donderdag 8 december 2016 14:04:04 CET schreef Dave Howorth:
On Thu, 08 Dec 2016 14:29:39 +0100
Knurpht - Gertjan Lettink <knurpht@opensuse.org> wrote:
Are you sure, Dave? grep dial /etc/group
Not quite sure what you're asking.
Yes, the dialout group is present in /etc/group. No the dialout group is not listed by YaST.
Cheers, Dave
PS Andrei has solved my problem with the app by using the command line, but I'd still like to understand why I failed with YaST.
OK. Here it is: When approached from the user tab, filter "System Users", the dialout group is not listed. When approached from the group tab, filter "System Groups" it is. Tick it, click Edit and check your user in the right column.
Ah, thanks. I now see that I can also Edit my user and then if I click on the Groups tab, I can indeed see a list of all groups (or at least the ones I'm interested in). It wasn't obvious to me at first that the tab headings changed and meant something different after I clicked on Edit. It seems to me that it might be easier to understand if the editing area was a subwindow rather than taking over the whole window, but I'm no UI expert. Cheers, Dave -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2016-12-08 13:55, Dave Howorth wrote:
I'm trying to run an app in chromium to talk to an external device connected by serial over USB, as /dev/ttyUSB. And I'm failing.
I'm handicapped by knowing nothing about chromium and not much about ttys and groups in the modern world.
The app says it is trying to contact /dev/ttyUSB0 and then it says it is 'Not Found'.
I'm wondering if there is a permissions, or other security, issue?
Does chromium prevent apps trying to talk to external devices by default? (and if not why not?!)
No, it is not chromium, it is the system administrator, Mr Root. Or in this case, openSUSE install defaults.
If I look at the device: $ ls -l /dev/ttyUSB0 crw-rw---- 1 root dialout 188, 0 Dec 8 11:37 /dev/ttyUSB0
it seems like nothing should be able to talk to it unless they are either root or a member of the dialout group.
That is so.
I added my self to the dialout group using gpasswd. Some online stuff indicates I need to logout and then back in before it will take effect. That seems a fairly draconian thing to have to doo just to use a new group membership. Is there another way?
To my knowledge, no, the newgrp command Andrei mentioned is new to me.
I suppose I could change the group that the tty belongs to, but that seems like too big a bodge.
Not really. All those files are dynamic, created on boot, and on device connect. So a reboot would solve a disaster in there ;-) It is possible that disconnecting and connecting the serial port emulator hardware would recreate the device. - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlhKBaIACgkQja8UbcUWM1w0ngD/XleZ4jhkSLSE88FKqi8OGUYN qWNRhT2xWs11M7M42scA/Rz/hg5/bLjy0MjcF/+iG/kgJ9iZlAhWhP137XYo6+9g =tWj3 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Fri, 9 Dec 2016 02:15:15 +0100 "Carlos E. R." <robin.listas@telefonica.net> wrote:
On 2016-12-08 13:55, Dave Howorth wrote:
I'm trying to run an app in chromium to talk to an external device connected by serial over USB, as /dev/ttyUSB. And I'm failing.
I'm handicapped by knowing nothing about chromium and not much about ttys and groups in the modern world.
The app says it is trying to contact /dev/ttyUSB0 and then it says it is 'Not Found'.
I'm wondering if there is a permissions, or other security, issue?
Does chromium prevent apps trying to talk to external devices by default? (and if not why not?!)
No, it is not chromium, it is the system administrator, Mr Root. Or in this case, openSUSE install defaults.
That seems to be the case, but the chromium documentation says that an aim of its security architecture is to prevent access to the host filesystem. I'm curious why it isn't doing that, since playing with newgrp was sufficient to achieve access. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2016-12-09 14:52, Dave Howorth wrote:
On Fri, 9 Dec 2016 02:15:15 +0100 "Carlos E. R." <robin.listas@telefonica.net> wrote:
On 2016-12-08 13:55, Dave Howorth wrote:
I'm trying to run an app in chromium to talk to an external device connected by serial over USB, as /dev/ttyUSB. And I'm failing.
I'm handicapped by knowing nothing about chromium and not much about ttys and groups in the modern world.
The app says it is trying to contact /dev/ttyUSB0 and then it says it is 'Not Found'.
I'm wondering if there is a permissions, or other security, issue?
Does chromium prevent apps trying to talk to external devices by default? (and if not why not?!)
No, it is not chromium, it is the system administrator, Mr Root. Or in this case, openSUSE install defaults.
That seems to be the case, but the chromium documentation says that an aim of its security architecture is to prevent access to the host filesystem. I'm curious why it isn't doing that, since playing with newgrp was sufficient to achieve access.
I don't see how one thing relates to the other. What it impedes is, I understand, scripts on the web page accessing your filesystem, not that the program accesses the filesystem. - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlhLMRAACgkQja8UbcUWM1wMaAD9G0/SDnGfMTZpcPQdS6IdYhOZ /7qeUhNS4ur0gItoERcA/R4cDxami8z80fZHfgcF8WpPVvtfKRukDFciJobfiiu7 =kQbg -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Fri, 9 Dec 2016 23:32:48 +0100 "Carlos E. R." <robin.listas@telefonica.net> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 2016-12-09 14:52, Dave Howorth wrote:
On Fri, 9 Dec 2016 02:15:15 +0100 "Carlos E. R." <robin.listas@telefonica.net> wrote:
On 2016-12-08 13:55, Dave Howorth wrote:
I'm trying to run an app in chromium to talk to an external device connected by serial over USB, as /dev/ttyUSB. And I'm failing.
I'm handicapped by knowing nothing about chromium and not much about ttys and groups in the modern world.
The app says it is trying to contact /dev/ttyUSB0 and then it says it is 'Not Found'.
I'm wondering if there is a permissions, or other security, issue?
Does chromium prevent apps trying to talk to external devices by default? (and if not why not?!)
No, it is not chromium, it is the system administrator, Mr Root. Or in this case, openSUSE install defaults.
That seems to be the case, but the chromium documentation says that an aim of its security architecture is to prevent access to the host filesystem. I'm curious why it isn't doing that, since playing with newgrp was sufficient to achieve access.
I don't see how one thing relates to the other.
What it impedes is, I understand, scripts on the web page accessing your filesystem, not that the program accesses the filesystem.
What exactly do you think an app in a browser is? And why don't you think it's capabilities should be restricted? Indeed why don't you think the browser itself should be restricted? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2016-12-09 23:35, Dave Howorth wrote:
On Fri, 9 Dec 2016 23:32:48 +0100 "Carlos E. R." <> wrote:
What exactly do you think an app in a browser is?
And why don't you think it's capabilities should be restricted? Indeed why don't you think the browser itself should be restricted?
Well, if you install an app it is obvious that you intend it to run. So it has access. - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlhLM4cACgkQja8UbcUWM1xRPAD8ClFbBJBXGDmKOO7zqJukDLbg 12ddsJZU65pb6c2nO1sA/3PmDS1NF6jhu+tOHm5KHZ9qYUNR9e8L1bQfpRZzrI1F =aIEk -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Fri, 9 Dec 2016 23:43:19 +0100 "Carlos E. R." <robin.listas@telefonica.net> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 2016-12-09 23:35, Dave Howorth wrote:
On Fri, 9 Dec 2016 23:32:48 +0100 "Carlos E. R." <> wrote:
What exactly do you think an app in a browser is?
And why don't you think it's capabilities should be restricted? Indeed why don't you think the browser itself should be restricted?
Well, if you install an app it is obvious that you intend it to run. So it has access.
I think you have missed the entire point. The biggest risk is badly behaved apps: either malware that you install by mistake or genuine apps that have been altered. Either way is that the app may try to do something that you did not expect and that you did not wish. So apps should always need be given explicit permission to access resources. If I install an app to play music, for example, I don't expect or want it to be able to use the microphone or camera, or upload anything. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2016-12-11 18:03, Dave Howorth wrote:
On Fri, 9 Dec 2016 23:43:19 +0100 "Carlos E. R." <> wrote:
On 2016-12-09 23:35, Dave Howorth wrote:
On Fri, 9 Dec 2016 23:32:48 +0100 "Carlos E. R." <> wrote:
What exactly do you think an app in a browser is?
And why don't you think it's capabilities should be restricted? Indeed why don't you think the browser itself should be restricted?
Well, if you install an app it is obvious that you intend it to run. So it has access.
I think you have missed the entire point. The biggest risk is badly behaved apps: either malware that you install by mistake or genuine apps that have been altered. Either way is that the app may try to do something that you did not expect and that you did not wish. So apps should always need be given explicit permission to access resources.
Well, you did give it access by changing the groups :-) - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlhN13YACgkQja8UbcUWM1whfAD/X/75wU7XcsB8GZQxCDzjMc1E Ga8vuGYjDJEpcix3dlQA/28O5f1bEk0SMM/MMFkbk57c8lrCPToSOKU38H1jjBOR =uWJ2 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (4)
-
Andrei Borzenkov -
Carlos E. R. -
Dave Howorth -
Knurpht - Gertjan Lettink