indi icon indicating copy to clipboard operation
indi copied to clipboard
verified publisher icon indilib

Unrestricted access to /dev/ttyUSB* vulnerability

Open dimich-dmb opened this issue 3 years ago • 2 comments

drivers/auxiliary/99-indi_auxiliary.rules sets mode 0666 for many popular USB-to-serial adapters. It allows any user to access any /dev/ttyUSB* unrestrictedly in most cases, regardless of uucp group membership and device purpose. This is security vulnerability.

Possible solution is to change MODE="0666" to TAG+="uaccess". Probably also need to change 99 prefix in 99-indi_auxiliary.rules to move it before 73-seat-late.rules.

dimich-dmb avatar Dec 26 '22 10:12 dimich-dmb

Would this work across distro? Many users are already suffering from being unable to access their USB devices due to all the restrictions and we don't want to make the users suffer unnecessarily.

knro avatar Jan 15 '23 05:01 knro

Would this work across distro?

I don't know. I guess it should work on any distro with standard systemd configuration but can't test it. I have libindi installed as a dependency for another package.

Anyway, letting to know about security issue is better than staying silent.

Many users are already suffering from being unable to access their USB devices due to all the restrictions and we don't want to make the users suffer unnecessarily.

On another hand, allowing all users to access USB devices is a rude solution, i think. Let users manage access to devices on their systems.

dimich-dmb avatar Jan 16 '23 15:01 dimich-dmb

This issue has been inactive for 60 days and is being marked as stale.

github-actions[bot] avatar Mar 30 '24 01:03 github-actions[bot]

This issue has been closed due to inactivity.

github-actions[bot] avatar Apr 06 '24 02:04 github-actions[bot]