On Sat, Dec 30, 2006 at 10:49:26AM +0100, Nicolas George wrote:
> Package: libgphoto2-2
> Version: 2.2.1-12
> Severity: grave
> Tags: security
> In /etc/udev/libgphoto2_generic_ptp_support.rules, there is the following
> rule:
> ACTION=="add", SUBSYSTEM=="usb_device", ENV{INTERFACE}="6/1/1", \
> PROGRAM="/bin/sh -c 'K=%k; K=$${K#usbdev}; printf bus/usb/%%03i/%%03i
> $${K%%%%.*} $${K#*.}'", \
> NAME="%c", MODE="0660", GROUP="plugdev"
> The single = sign after ENV{INTERFACE} means that the INTERFACE environment
> variable is set, not queried. The result is that all USB devices, and not
> only the PTP ones, are set to the plugdev group, thus giving some users
> access to devices they should not have access to.
> Suggested fix: put two equals signs
Isn't the plugdev group empty by default? This is obviously a bug, but I'm
not sure it qualifies as a grave security bug.
For that matter, with which devices are you seeing this problem? After
upgrading to this version of libgphoto2-2, plugging in a USB hard drive
still gives me:
brw-rw---- 1 root disk 8, 0 2006-12-30 15:30 /dev/sda
brw-rw---- 1 root disk 8, 1 2006-12-30 15:30 /dev/sda1
What class of USB devices are ending up under group plugdev that shouldn't?
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
[EMAIL PROTECTED] http://www.debian.org/
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
