Hi, On Sun, Oct 12, 2014 at 07:00:01PM +0200, Christoph Anton Mitterer wrote: > On Sun, 2014-10-12 at 14:46 +0200, Guido Günther wrote: > > severity 764894 important > > To be honest, I'm quite surprised (or should I say shocked) how much > this "culture" of hiding away serious issues has taken it's way serious > issues. > > 1) critical & grave are basically the only real way for a user to see > about such issues on upgrade (when using apt-listbugs) > 2) not having stuff moved to testing is probably just what one want (at > least if the affected versions aren't in yet) > 3) having an issue release critical is probably again just what one > wants, if the issue is severe enough to justify it as that
As I wrote already: jessie is already affected so if you care _that_ much (which is good) please do all the work and figure out the affected versions (I've just done so). [..snip..] > AFAIU you mean the option in Edit/Preference/New VM/Add spice USB > redirection, right? > AFAICS this only controls what happens on the VM (i.e. server-side),... > and for the server it's absolutely no security problem to allow > redirections (since it's not his USB devices, but the client's). No. I mean the confer key that handles usb redirection, see d81fd3c3af1abde1fa0e2bf3b79643f36836f45b on https://anonscm.debian.org/cgit/pkg-libvirt/virt-manager.git/ > The two problems we have here: > a) virt-manager (and perhaps virt-viewer as well?) exports the device > unconditionally, as long as it's allowed by the server (but a rogue > server will of course always allow). > On the VM window, there is the "Virtual Machine/Redirect USB Device" > menu entry, but here my devices are exported before I even go there. See above. This should be fixed now with redirection defaulting to off by default. > b) The second, IMHO even more severe issue is: > Why does a normal user get permissions to redirect USB devices? > Even if virt-manager behaves buggy as described in (1), the user still > shouldn't have any permissions by default that polkit grants him access > to the USB device. http://forums.fedoraforum.org/showthread.php?t=290933 which is /usr/share/polkit-1/actions/org.spice-space.lowlevelusbaccess.policy and therefore allowed for interactive users (which makes sense). Feel free to dup this to spice an keep me on cc. Thanks for raising this. -- Guido -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
