how to handle ACL to access modem ?

how to handle ACL to access modem ?

[Frederic Crozat]

Hi all,

we just switched Mandriva cooker permissions on device from pam_console
+ HAL ACL to udev ACL.

And now, we are starting to discover some regressions ;)

Before the switch /dev/ttyACM* was given console privilege, allowing
usage of programs like gammu (and its derivative) to access phones
through their modem interface.

With the switch, it is not possible anymore and I'm not sure which path
is better (if we can find one which is cross-distro) :
- add users to dialout group : can't be done while users is logged,
doesn't handle upgrade, hard to find for users
- setgid programs like gammu for dialout : no action for users needed
but any user (even without console privilege) will gain access to those
devices
- ACL on ttyACM* : no action for users needed, give the same kind of
access control as pam_console was giving. On the other hand, any
"console" user will be able to dialout the device.

Opinions ?
-- 
Frederic Crozat <fcrozat@mandriva.com>
Mandriva

Re: how to handle ACL to access modem ?

[Frederic Crozat]

Le mercredi 29 juillet 2009 à 13:41 +0200, Frederic Crozat a écrit :
> Hi all,
> 
> we just switched Mandriva cooker permissions on device from pam_console
> + HAL ACL to udev ACL.
> 
> And now, we are starting to discover some regressions ;)
> 
> Before the switch /dev/ttyACM* was given console privilege, allowing
> usage of programs like gammu (and its derivative) to access phones
> through their modem interface.
> 
> With the switch, it is not possible anymore and I'm not sure which path
> is better (if we can find one which is cross-distro) :
> - add users to dialout group : can't be done while users is logged,
> doesn't handle upgrade, hard to find for users
> - setgid programs like gammu for dialout : no action for users needed
> but any user (even without console privilege) will gain access to those
> devices
> - ACL on ttyACM* : no action for users needed, give the same kind of
> access control as pam_console was giving. On the other hand, any
> "console" user will be able to dialout the device.
> 
> Opinions ?

No opinions ?
-- 
Frederic Crozat <fcrozat@mandriva.com>
Mandriva

Re: how to handle ACL to access modem ?

[Kay Sievers]

On Wed, Oct 7, 2009 at 18:40, Frederic Crozat <fcrozat@mandriva.com> wrote:
> Le mercredi 29 juillet 2009 à 13:41 +0200, Frederic Crozat a écrit :
>> Hi all,
>>
>> we just switched Mandriva cooker permissions on device from pam_console
>> + HAL ACL to udev ACL.
>>
>> And now, we are starting to discover some regressions ;)
>>
>> Before the switch /dev/ttyACM* was given console privilege, allowing
>> usage of programs like gammu (and its derivative) to access phones
>> through their modem interface.
>>
>> With the switch, it is not possible anymore and I'm not sure which path
>> is better (if we can find one which is cross-distro) :
>> - add users to dialout group : can't be done while users is logged,
>> doesn't handle upgrade, hard to find for users
>> - setgid programs like gammu for dialout : no action for users needed
>> but any user (even without console privilege) will gain access to those
>> devices
>> - ACL on ttyACM* : no action for users needed, give the same kind of
>> access control as pam_console was giving. On the other hand, any
>> "console" user will be able to dialout the device.
>>
>> Opinions ?
>
> No opinions ?

I don't think we want random software to be able to dial out.

Kay

Re: how to handle ACL to access modem ?

[Marco d'Itri]

[-- Attachment #1: Type: text/plain, Size: 668 bytes --]

On Oct 07, Frederic Crozat <fcrozat@mandriva.com> wrote:

> > - setgid programs like gammu for dialout : no action for users needed
> > but any user (even without console privilege) will gain access to those
> > devices
On Debian systems, pppd is suid root and only executable by group dip
(which historically controls the ability to dial out), while uucico is
sgid dialout but is in a directory not accessible by unpriviledged users.
cu and minicom do not have special permission.
If a program can output user-controllable strings to the console then
you can as well add the user to group dialout without a significant
security risk.

-- 
ciao,
Marco

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: how to handle ACL to access modem ?

[Frederic Crozat]

Le mercredi 07 octobre 2009 à 18:41 +0200, Kay Sievers a écrit :
> On Wed, Oct 7, 2009 at 18:40, Frederic Crozat <fcrozat@mandriva.com> wrote:
> > Le mercredi 29 juillet 2009 à 13:41 +0200, Frederic Crozat a écrit :
> >> Hi all,
> >>
> >> we just switched Mandriva cooker permissions on device from pam_console
> >> + HAL ACL to udev ACL.
> >>
> >> And now, we are starting to discover some regressions ;)
> >>
> >> Before the switch /dev/ttyACM* was given console privilege, allowing
> >> usage of programs like gammu (and its derivative) to access phones
> >> through their modem interface.
> >>
> >> With the switch, it is not possible anymore and I'm not sure which path
> >> is better (if we can find one which is cross-distro) :
> >> - add users to dialout group : can't be done while users is logged,
> >> doesn't handle upgrade, hard to find for users
> >> - setgid programs like gammu for dialout : no action for users needed
> >> but any user (even without console privilege) will gain access to those
> >> devices
> >> - ACL on ttyACM* : no action for users needed, give the same kind of
> >> access control as pam_console was giving. On the other hand, any
> >> "console" user will be able to dialout the device.
> >>
> >> Opinions ?
> >
> > No opinions ?
> 
> I don't think we want random software to be able to dial out.

So, you are suggesting the setgid approach ?

-- 
Frederic Crozat <fcrozat@mandriva.com>
Mandriva

Re: how to handle ACL to access modem ?

[Frederic Crozat]

Le mercredi 07 octobre 2009 à 18:52 +0200, Marco d'Itri a écrit :
> On Oct 07, Frederic Crozat <fcrozat@mandriva.com> wrote:
> 
> > > - setgid programs like gammu for dialout : no action for users needed
> > > but any user (even without console privilege) will gain access to those
> > > devices
> On Debian systems, pppd is suid root and only executable by group dip
> (which historically controls the ability to dial out), while uucico is
> sgid dialout but is in a directory not accessible by unpriviledged users.
> cu and minicom do not have special permission.
> If a program can output user-controllable strings to the console then
> you can as well add the user to group dialout without a significant
> security risk.

I'm not sure I'm following you.

For me, adding users to a group is really an option, since it isn't
handled on the fly and I don't expect users to add them to a group to
start using a graphical program.
-- 
Frederic Crozat <fcrozat@mandriva.com>
Mandriva

Re: how to handle ACL to access modem ?

[Kay Sievers]

On Wed, Oct 7, 2009 at 19:41, Frederic Crozat <fcrozat@mandriva.com> wrote:
> Le mercredi 07 octobre 2009 à 18:41 +0200, Kay Sievers a écrit :
>> On Wed, Oct 7, 2009 at 18:40, Frederic Crozat <fcrozat@mandriva.com> wrote:
>> > Le mercredi 29 juillet 2009 à 13:41 +0200, Frederic Crozat a écrit :
>> >> Hi all,
>> >>
>> >> we just switched Mandriva cooker permissions on device from pam_console
>> >> + HAL ACL to udev ACL.
>> >>
>> >> And now, we are starting to discover some regressions ;)
>> >>
>> >> Before the switch /dev/ttyACM* was given console privilege, allowing
>> >> usage of programs like gammu (and its derivative) to access phones
>> >> through their modem interface.
>> >>
>> >> With the switch, it is not possible anymore and I'm not sure which path
>> >> is better (if we can find one which is cross-distro) :
>> >> - add users to dialout group : can't be done while users is logged,
>> >> doesn't handle upgrade, hard to find for users
>> >> - setgid programs like gammu for dialout : no action for users needed
>> >> but any user (even without console privilege) will gain access to those
>> >> devices
>> >> - ACL on ttyACM* : no action for users needed, give the same kind of
>> >> access control as pam_console was giving. On the other hand, any
>> >> "console" user will be able to dialout the device.
>> >>
>> >> Opinions ?
>> >
>> > No opinions ?
>>
>> I don't think we want random software to be able to dial out.
>
> So, you are suggesting the setgid approach ?

No, use NetworkManager or similar which can handle that with
PolicyKit, or for system services put them into the group "dialout" if
that is what people want.

Kay

Re: how to handle ACL to access modem ?

[Frederic Crozat]

Le mercredi 07 octobre 2009 à 19:51 +0200, Kay Sievers a écrit :
> On Wed, Oct 7, 2009 at 19:41, Frederic Crozat <fcrozat@mandriva.com> wrote:
> > Le mercredi 07 octobre 2009 à 18:41 +0200, Kay Sievers a écrit :
> >> On Wed, Oct 7, 2009 at 18:40, Frederic Crozat <fcrozat@mandriva.com> wrote:
> >> > Le mercredi 29 juillet 2009 à 13:41 +0200, Frederic Crozat a écrit :
> >> >> Hi all,
> >> >>
> >> >> we just switched Mandriva cooker permissions on device from pam_console
> >> >> + HAL ACL to udev ACL.
> >> >>
> >> >> And now, we are starting to discover some regressions ;)
> >> >>
> >> >> Before the switch /dev/ttyACM* was given console privilege, allowing
> >> >> usage of programs like gammu (and its derivative) to access phones
> >> >> through their modem interface.
> >> >>
> >> >> With the switch, it is not possible anymore and I'm not sure which path
> >> >> is better (if we can find one which is cross-distro) :
> >> >> - add users to dialout group : can't be done while users is logged,
> >> >> doesn't handle upgrade, hard to find for users
> >> >> - setgid programs like gammu for dialout : no action for users needed
> >> >> but any user (even without console privilege) will gain access to those
> >> >> devices
> >> >> - ACL on ttyACM* : no action for users needed, give the same kind of
> >> >> access control as pam_console was giving. On the other hand, any
> >> >> "console" user will be able to dialout the device.
> >> >>
> >> >> Opinions ?
> >> >
> >> > No opinions ?
> >>
> >> I don't think we want random software to be able to dial out.
> >
> > So, you are suggesting the setgid approach ?
> 
> No, use NetworkManager or similar which can handle that with
> PolicyKit, or for system services put them into the group "dialout" if
> that is what people want.

I guess I shouldn't have said "modem", because it implied
"NetworkManager" (which we don't use anyway) instead of controlling some
features of those phones, like accessing addressbook, retrieving SMS,
etc..

And since I'm not a "gammu" hacker (or user) of any sort, I guess we
will revert to our previous perms of those devices for now.

PS : no need to cc me, I'm subscribed to the list.
-- 
Frederic Crozat <fcrozat@mandriva.com>
Mandriva