[PATCH] udev-acl: handle "dialout" devices

[PATCH] udev-acl: handle "dialout" devices

[Linus Walleij]

As a simple user, I'm pretty tired of this, when using a
simple serial console for something:
$ minicom
Device /dev/ttyUSB0 access failed: Permission denied.

The device is indeed readable/writable by the group "dialout":
$ ls -al /dev/ttyUSB0
crw-rw----. 1 root dialout 188, 0 Jul 14 14:11 /dev/ttyUSB0

But that group is not maintained by anyone just installing Linux
for some simple desktop use. Just like we let udev-acl handle
media players, cameras and whatnot, let it handle modems, not to
mention the fact that these "dialouts" are often just some serial
link or irDA link, we don't really know if they are modems after
all.

Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
---
 extras/udev-acl/70-udev-acl.rules |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

diff --git a/extras/udev-acl/70-udev-acl.rules b/extras/udev-acl/70-udev-acl.rules
index 2dac283..770da3c 100644
--- a/extras/udev-acl/70-udev-acl.rules
+++ b/extras/udev-acl/70-udev-acl.rules
@@ -12,6 +12,9 @@ TEST="/sys/fs/cgroup/systemd", TAG="uaccess", GOTO="acl_end"
 # PTP/MTP protocol devices, cameras, portable media players
 SUBSYSTEM="usb", ENV{ID_USB_INTERFACES}="*:060101:*", TAG+="udev-acl"
 
+# USB-to-serial dongles, irDA links and other stuff classified as "dialout"
+GROUP="dialout", TAG+="udev-acl"
+
 # digicams with proprietary protocol
 ENV{ID_GPHOTO2}="*?", TAG+="udev-acl"
 
-- 
1.7.6

Re: [PATCH] udev-acl: handle "dialout" devices

[Kay Sievers]

On Thu, Jul 14, 2011 at 14:23, Linus Walleij <linus.walleij@linaro.org> wrote:
> As a simple user, I'm pretty tired of this, when using a
> simple serial console for something:
> $ minicom
> Device /dev/ttyUSB0 access failed: Permission denied.

> +# USB-to-serial dongles, irDA links and other stuff classified as "dialout"
> +GROUP="dialout", TAG+="udev-acl"

We obviously can't do that for security reasons. Any untrusted user
could call 900 numbers that way. You need to put yourself in the
dialout group or use a privileged helper to wrap your access.

Kay

Re: [PATCH] udev-acl: handle "dialout" devices

[Linus Walleij]

On Thu, Jul 14, 2011 at 2:27 PM, Kay Sievers <kay.sievers@vrfy.org> wrote:
> On Thu, Jul 14, 2011 at 14:23, Linus Walleij <linus.walleij@linaro.org> wrote:
>> As a simple user, I'm pretty tired of this, when using a
>> simple serial console for something:
>> $ minicom
>> Device /dev/ttyUSB0 access failed: Permission denied.
>
>> +# USB-to-serial dongles, irDA links and other stuff classified as "dialout"
>> +GROUP="dialout", TAG+="udev-acl"
>
> We obviously can't do that for security reasons. Any untrusted user
> could call 900 numbers that way. You need to put yourself in the
> dialout group or use a privileged helper to wrap your access.

First I think that is only interesting to administrators of servers
and largescale installations, is that right? It does only create
obstacles for a home desktop user that s/he cannot use a modem
with a default install of the OS.

So if it is an axiom that the default ACL rules are for servers,
I understand this, is that the case?

But there is plain naming problems with this default rule
(which creates the dialout group):

# serial
KERNEL="tty[A-Z]*[0-9]|pppox[0-9]*|ircomm[0-9]*|noz[0-9]*|rfcomm[0-9]*",
GROUP="dialout"

tty[A-Z]*[0-9] and ircomm[0-9]* has nothing implicit in their
drivers that tells you there is a modem on the other side.

I will cook another patch that illustrates the problem better...

Thanks,
Linus Walleij

Re: [PATCH] udev-acl: handle "dialout" devices

[Marco d'Itri]

On Jul 14, Linus Walleij <linus.walleij@linaro.org> wrote:

> First I think that is only interesting to administrators of servers
> and largescale installations, is that right? It does only create
No, it is interesting to owners of any host connected to a modem which
can be compromised to allow execution of arbitrary code.

> obstacles for a home desktop user that s/he cannot use a modem
> with a default install of the OS.
So ask your favourite distribution to add by default to the dialout
group the user created at install time.

> So if it is an axiom that the default ACL rules are for servers,
Is it?

> tty[A-Z]*[0-9] and ircomm[0-9]* has nothing implicit in their
> drivers that tells you there is a modem on the other side.
Serial modems are like this, sometimes you cannot detect them.

-- 
ciao,
Marco

Re: [PATCH] udev-acl: handle "dialout" devices

[Linus Walleij]

On Thu, Jul 14, 2011 at 6:44 PM, Marco d'Itri <md@linux.it> wrote:
> On Jul 14, Linus Walleij <linus.walleij@linaro.org> wrote:
>> First I think that is only interesting to administrators of servers
>> and largescale installations, is that right? It does only create
>
> No, it is interesting to owners of any host connected to a modem which
> can be compromised to allow execution of arbitrary code.

.. just like they should be worried of same black hats connecting
to their iPoD and stealing their soundfiles (which may be recordings
of sensitive meetings), so we should stop using udev-acl for these
too, and mandate that everyone create a GROUP="mediaplayer"
as well?

I'd argue that there are soon more people using their serial port
for most other things than modems than there are people
doing that soon or already now.

But who knows...

I know users of most other operating systems are able to use
their serial ports without administering themselves into a "dialout"
group, but they can of course be wrong.

>> obstacles for a home desktop user that s/he cannot use a modem
>> with a default install of the OS.
>
> So ask your favourite distribution to add by default to the dialout
> group the user created at install time.

Yeah next patch set is about helping distros with that by adding
the necessary ID_EXTERNAL_PORT and ID_MODEM environment
variables so they can easily do that.

>> tty[A-Z]*[0-9] and ircomm[0-9]* has nothing implicit in their
>> drivers that tells you there is a modem on the other side.
>
> Serial modems are like this, sometimes you cannot detect them.

Can you ever do it? According to some sources Windows
sends "ATI0" to external ports to detect modems, but I guess it's
after manually requesting some "Wizard" program to look for
modems...

Thanks,
Linus Walleij