On Sun, 2014-10-12 at 14:46 +0200, Guido Günther wrote: > severity 764894 important
To be honest, I'm quite surprised (or should I say shocked) how much this "culture" of hiding away serious issues has taken it's way serious issues. 1) critical & grave are basically the only real way for a user to see about such issues on upgrade (when using apt-listbugs) 2) not having stuff moved to testing is probably just what one want (at least if the affected versions aren't in yet) 3) having an issue release critical is probably again just what one wants, if the issue is severe enough to justify it as that and apart from that 4) I'd guess no-one would "count" the number of grave/critical bugs to denigrate their maintainers. It's quite clear that packages like iceweasel or likely also VM related stuff will out of their always have more serious bugs open than something like the "tree" package. This if course doesn't mean in any way that their maintainers would be less capable or less passionate or whatever. And the two issues in this bug quite clearly qualify for being severe enough. It's basically as if firefox would export parts of your harddisk to some (e.g. https) websites automatically, just that this would affect even more users. No one would expect such behaviour, no one could say "well you triggered that yourself by going to an https site" and especially no one would accept if it was exporting data (and had the capability to) from anywhere on the system ... like other users. But that's basically what happens here, imagine that people still have multi-user-systems (not everything in the world is a tablet),... now I stick in some USB stick, and while the other user is doing stuff with his VMs, it's exported to it. Even though root, never mounted it for one of the two, or gave permissions on the device. > You can turn off usb auto redirecton in virt-manager's preferences. I > I'm open for discussion to changing this to off by default Well I don't think that this solves either of the two bugs I've reported here. AFAIU you mean the option in Edit/Preference/New VM/Add spice USB redirection, right? AFAICS this only controls what happens on the VM (i.e. server-side),... and for the server it's absolutely no security problem to allow redirections (since it's not his USB devices, but the client's). The two problems we have here: a) virt-manager (and perhaps virt-viewer as well?) exports the device unconditionally, as long as it's allowed by the server (but a rogue server will of course always allow). On the VM window, there is the "Virtual Machine/Redirect USB Device" menu entry, but here my devices are exported before I even go there. b) The second, IMHO even more severe issue is: Why does a normal user get permissions to redirect USB devices? Even if virt-manager behaves buggy as described in (1), the user still shouldn't have any permissions by default that polkit grants him access to the USB device. And access to the "full" USB device is granted! Not only to e.g. the users own files on some filesystem *on* the USB device (in case it was a mass storage device). > but until > then please let's not block the testing migration (the version in > jessie is affected by the same bug). Well I already expected that which I wrote (2) above, but IMHO we have some problem here than with the migration procedures. Or will it migrate if we mark the current testing version as affected as well? Cause then we could keep the current severity, mark the testing version and still have the new one migrated. Oh and btw: Do you know where the issue (b) comes from? I'd guess it's polkit, or rather some rules added by some package to it,... is it spice-client-glib-usb-acl-helper as I've guessed (my polkit knowledge is a little bit rusty ^^),... cause then I could clone the bug there and every package could just deal with its own part of the two issues here. Cheers, Chris.
smime.p7s
Description: S/MIME cryptographic signature
