input/eventX permissions, force feedback

input/eventX permissions, force feedback

[Anssi Hannula]

Currently most distributions have /dev/input/event* strictly as 0600
root:root or 0640 root:root. The user logged in will not have rights to
the device, unlike /dev/input/js*, as he could read all passwords from
the keyboard device.

This is a problem, because /dev/input/event* is used for force feedback
and should therefore be user-accessible.

I can think of the following solutions to this problem:

1. Some creative udev rule to chmod /dev/input/event* less strictly when
it has a /dev/input/js* and is thus a gaming device.

2. Some creative udev rule to chmod /dev/input/event* more strictly when
it is a keyboard.

3. Have another force feedback interface also in /dev/input/js*.

I prefer the first one, do you think it is a good solution or do you
have a better one?

If I go with the first one, what is the preferred way of finding out a
gaming device in udev rule?


-- 
Anssi Hannula

Re: input/eventX permissions, force feedback

[Dmitry Torokhov]

Hi Anssi,

On 7/18/06, Anssi Hannula <anssi.hannula@gmail.com> wrote:
> Currently most distributions have /dev/input/event* strictly as 0600
> root:root or 0640 root:root. The user logged in will not have rights to
> the device, unlike /dev/input/js*, as he could read all passwords from
> the keyboard device.
>
> This is a problem, because /dev/input/event* is used for force feedback
> and should therefore be user-accessible.
>
> I can think of the following solutions to this problem:
>
> 1. Some creative udev rule to chmod /dev/input/event* less strictly when
> it has a /dev/input/js* and is thus a gaming device.
>
> 2. Some creative udev rule to chmod /dev/input/event* more strictly when
> it is a keyboard.
>
> 3. Have another force feedback interface also in /dev/input/js*.
>

You can do it in udev looking either at MODALIAS or at EV and ABS
environment variables. I think it is pretty safe to say that a device
with EV_ABS, EV_FF, ABS_X and ABS_Y is a force-feedback joystick-type
device and not a keyboard.

Another solution would be to relax permissions if user is also console
owner (home box installation).

One thing is for sure - I do not like #3 at all ;)

-- 
Dmitry

Re: input/eventX permissions, force feedback

[Anssi Hannula]

Dmitry Torokhov wrote:
> Hi Anssi,
> 
> On 7/18/06, Anssi Hannula <anssi.hannula@gmail.com> wrote:
> 
>> Currently most distributions have /dev/input/event* strictly as 0600
>> root:root or 0640 root:root. The user logged in will not have rights to
>> the device, unlike /dev/input/js*, as he could read all passwords from
>> the keyboard device.
>>
>> This is a problem, because /dev/input/event* is used for force feedback
>> and should therefore be user-accessible.
>>
>> I can think of the following solutions to this problem:
>>
>> 1. Some creative udev rule to chmod /dev/input/event* less strictly when
>> it has a /dev/input/js* and is thus a gaming device.
>>
>> 2. Some creative udev rule to chmod /dev/input/event* more strictly when
>> it is a keyboard.
>>
>> 3. Have another force feedback interface also in /dev/input/js*.
>>
> 
> You can do it in udev looking either at MODALIAS or at EV and ABS
> environment variables. I think it is pretty safe to say that a device
> with EV_ABS, EV_FF, ABS_X and ABS_Y is a force-feedback joystick-type
> device and not a keyboard.

Okay, thanks. But I think it'd be more consistant if all devices that
have js* entries would have the relaxed perms in event*. Looking at
joydev.c, that seems to be devices where EV_ABS && (ABS_X || ABS_WHEEL
|| ABS_THROTTLE) && !(EV_KEY && BTN_TOUCH).

There's another problem, too:
Some distros (Fedora, Mandriva...) don't use groups with /dev/input/jsX,
they use pam_console to chmod the device to the console owner.
Unfortunately, it allows to specify the permissions based on device file
names only.

To solve this problem, I see two solutions:

1. Have the pam_console_apply program extended so that it can perform
more complex matches (but what kind of matches would those be?).

2. Have udev create symlinks like the following case:
/dev/input/event3
/dev/input/js0
/dev/input/jsevent0 => event3
Then pam_console_apply could match jsevent[0-9]* and it would follow the
symlink, thus chowning event3 to the wanted user.

Unfortunately neither look too good to me. Do you have any other ideas?

> Another solution would be to relax permissions if user is also console
> owner (home box installation).

I thought of that too, but I thought it's too big a security risk, as
it's not guaranteed that somebody else won't temporarily login on
another terminal.

> One thing is for sure - I do not like #3 at all ;)
> 


-- 
Anssi Hannula

Re: input/eventX permissions, force feedback

[Dmitry Torokhov]

On 7/18/06, Anssi Hannula <anssi.hannula@gmail.com> wrote:
> Dmitry Torokhov wrote:
> > Hi Anssi,
> >
> > On 7/18/06, Anssi Hannula <anssi.hannula@gmail.com> wrote:
> >
> >> Currently most distributions have /dev/input/event* strictly as 0600
> >> root:root or 0640 root:root. The user logged in will not have rights to
> >> the device, unlike /dev/input/js*, as he could read all passwords from
> >> the keyboard device.
> >>
> >> This is a problem, because /dev/input/event* is used for force feedback
> >> and should therefore be user-accessible.
> >>
> >> I can think of the following solutions to this problem:
> >>
> >> 1. Some creative udev rule to chmod /dev/input/event* less strictly when
> >> it has a /dev/input/js* and is thus a gaming device.
> >>
> >> 2. Some creative udev rule to chmod /dev/input/event* more strictly when
> >> it is a keyboard.
> >>
> >> 3. Have another force feedback interface also in /dev/input/js*.
> >>
> >
> > You can do it in udev looking either at MODALIAS or at EV and ABS
> > environment variables. I think it is pretty safe to say that a device
> > with EV_ABS, EV_FF, ABS_X and ABS_Y is a force-feedback joystick-type
> > device and not a keyboard.
>
> Okay, thanks. But I think it'd be more consistant if all devices that
> have js* entries would have the relaxed perms in event*. Looking at
> joydev.c, that seems to be devices where EV_ABS && (ABS_X || ABS_WHEEL
> || ABS_THROTTLE) && !(EV_KEY && BTN_TOUCH).
>

OK, you can do that too.

> There's another problem, too:
> Some distros (Fedora, Mandriva...) don't use groups with /dev/input/jsX,
> they use pam_console to chmod the device to the console owner.
> Unfortunately, it allows to specify the permissions based on device file
> names only.
>
> To solve this problem, I see two solutions:
>
> 1. Have the pam_console_apply program extended so that it can perform
> more complex matches (but what kind of matches would those be?).
>
> 2. Have udev create symlinks like the following case:
> /dev/input/event3
> /dev/input/js0
> /dev/input/jsevent0 => event3
> Then pam_console_apply could match jsevent[0-9]* and it would follow the
> symlink, thus chowning event3 to the wanted user.
>
> Unfortunately neither look too good to me. Do you have any other ideas?
>

I think this is really up to particular destribution to decide how
they want to handle security/granting access. One could even imagine
writing SELinux policies...

> > Another solution would be to relax permissions if user is also console
> > owner (home box installation).
>
> I thought of that too, but I thought it's too big a security risk, as
> it's not guaranteed that somebody else won't temporarily login on
> another terminal.
>

That is what you are doing with pam_console_apply, don't you?

-- 
Dmitry

Re: input/eventX permissions, force feedback

[Anssi Hannula]

Dmitry Torokhov wrote:
> On 7/18/06, Anssi Hannula <anssi.hannula@gmail.com> wrote:
> 
>> Dmitry Torokhov wrote:
>> > Hi Anssi,
>> >
>> > On 7/18/06, Anssi Hannula <anssi.hannula@gmail.com> wrote:
>> >
>> >> Currently most distributions have /dev/input/event* strictly as 0600
>> >> root:root or 0640 root:root. The user logged in will not have
>> rights to
>> >> the device, unlike /dev/input/js*, as he could read all passwords from
>> >> the keyboard device.
>> >>
>> >> This is a problem, because /dev/input/event* is used for force
>> feedback
>> >> and should therefore be user-accessible.
>> >>
>> >> I can think of the following solutions to this problem:
>> >>
>> >> 1. Some creative udev rule to chmod /dev/input/event* less strictly
>> when
>> >> it has a /dev/input/js* and is thus a gaming device.
>> >>
>> >> 2. Some creative udev rule to chmod /dev/input/event* more strictly
>> when
>> >> it is a keyboard.
>> >>
>> >> 3. Have another force feedback interface also in /dev/input/js*.
>> >>
>> >
>> > You can do it in udev looking either at MODALIAS or at EV and ABS
>> > environment variables. I think it is pretty safe to say that a device
>> > with EV_ABS, EV_FF, ABS_X and ABS_Y is a force-feedback joystick-type
>> > device and not a keyboard.
>>
>> Okay, thanks. But I think it'd be more consistant if all devices that
>> have js* entries would have the relaxed perms in event*. Looking at
>> joydev.c, that seems to be devices where EV_ABS && (ABS_X || ABS_WHEEL
>> || ABS_THROTTLE) && !(EV_KEY && BTN_TOUCH).
>>
> 
> OK, you can do that too.
> 
>> There's another problem, too:
>> Some distros (Fedora, Mandriva...) don't use groups with /dev/input/jsX,
>> they use pam_console to chmod the device to the console owner.
>> Unfortunately, it allows to specify the permissions based on device file
>> names only.
>>
>> To solve this problem, I see two solutions:
>>
>> 1. Have the pam_console_apply program extended so that it can perform
>> more complex matches (but what kind of matches would those be?).
>>
>> 2. Have udev create symlinks like the following case:
>> /dev/input/event3
>> /dev/input/js0
>> /dev/input/jsevent0 => event3
>> Then pam_console_apply could match jsevent[0-9]* and it would follow the
>> symlink, thus chowning event3 to the wanted user.
>>
>> Unfortunately neither look too good to me. Do you have any other ideas?
>>
> 
> I think this is really up to particular destribution to decide how
> they want to handle security/granting access. One could even imagine
> writing SELinux policies...

Yes, it is. I just asked if you had any better idea or if you were
strongly opposed to the solutions I proposed, as I want to make a
working solution for my distribution (Mandriva).

>> > Another solution would be to relax permissions if user is also console
>> > owner (home box installation).
>>
>> I thought of that too, but I thought it's too big a security risk, as
>> it's not guaranteed that somebody else won't temporarily login on
>> another terminal.
>>
> That is what you are doing with pam_console_apply, don't you?
> 

Yes, but afaics there are currently no device privileges given to the
console user which would compromise password security. Providing eventX
would do that.

-- 
Anssi Hannula

Re: input/eventX permissions, force feedback

[Andrey Borzenkov]

Dmitry Torokhov wrote:

> Hi Anssi,
> 
> On 7/18/06, Anssi Hannula <anssi.hannula@gmail.com> wrote:
>> Currently most distributions have /dev/input/event* strictly as 0600
>> root:root or 0640 root:root. The user logged in will not have rights to
>> the device, unlike /dev/input/js*, as he could read all passwords from
>> the keyboard device.
>>
>> This is a problem, because /dev/input/event* is used for force feedback
>> and should therefore be user-accessible.
>>
>> I can think of the following solutions to this problem:
>>
>> 1. Some creative udev rule to chmod /dev/input/event* less strictly when
>> it has a /dev/input/js* and is thus a gaming device.
>>
>> 2. Some creative udev rule to chmod /dev/input/event* more strictly when
>> it is a keyboard.
>>
>> 3. Have another force feedback interface also in /dev/input/js*.
>>
> 
> You can do it in udev looking either at MODALIAS or at EV and ABS
> environment variables. I think it is pretty safe to say that a device
> with EV_ABS, EV_FF, ABS_X and ABS_Y is a force-feedback joystick-type
> device and not a keyboard.
> 

You could also have udev create specific symlink for such devices,
say /dev/input/ff* and make a rule for pam_console to change their
permissions. That is finally what is done e.g. for CD-ROMs (cdrom ->
hdc/sr0)

-andrey

> Another solution would be to relax permissions if user is also console
> owner (home box installation).
> 
> One thing is for sure - I do not like #3 at all ;)
> 

Re: input/eventX permissions, force feedback

[Anssi Hannula]

Andrey Borzenkov wrote:
> Dmitry Torokhov wrote:
> 
> 
>>Hi Anssi,
>>
>>On 7/18/06, Anssi Hannula <anssi.hannula@gmail.com> wrote:
>>
>>>Currently most distributions have /dev/input/event* strictly as 0600
>>>root:root or 0640 root:root. The user logged in will not have rights to
>>>the device, unlike /dev/input/js*, as he could read all passwords from
>>>the keyboard device.
>>>
>>>This is a problem, because /dev/input/event* is used for force feedback
>>>and should therefore be user-accessible.
>>>
>>>I can think of the following solutions to this problem:
>>>
>>>1. Some creative udev rule to chmod /dev/input/event* less strictly when
>>>it has a /dev/input/js* and is thus a gaming device.
>>>
>>>2. Some creative udev rule to chmod /dev/input/event* more strictly when
>>>it is a keyboard.
>>>
>>>3. Have another force feedback interface also in /dev/input/js*.
>>>
>>
>>You can do it in udev looking either at MODALIAS or at EV and ABS
>>environment variables. I think it is pretty safe to say that a device
>>with EV_ABS, EV_FF, ABS_X and ABS_Y is a force-feedback joystick-type
>>device and not a keyboard.
>>
> 
> 
> You could also have udev create specific symlink for such devices,
> say /dev/input/ff* and make a rule for pam_console to change their
> permissions. That is finally what is done e.g. for CD-ROMs (cdrom ->
> hdc/sr0)

Yes, I proposed this kind of solution too in a later post :)

> 
> 
>>Another solution would be to relax permissions if user is also console
>>owner (home box installation).
>>
>>One thing is for sure - I do not like #3 at all ;)
>>
> 
> 


-- 
Anssi Hannula