Le decadi 10 nivôse, an CCXV, Steve Langasek a écrit : > Isn't the plugdev group empty by default? This is obviously a bug, but I'm > not sure it qualifies as a grave security bug.
The administrator is encouraged to add to this group users that need to access cameras and similar devices. I believe this qualifies as a security risk: users that had no access to some resources now can access them, without the administrator knowing. The "grave" qualification is probably exaggerated, but I was under the impression that all security bugs should have it; maybe I was wrong; if so I am sorry. > For that matter, with which devices are you seeing this problem? After > upgrading to this version of libgphoto2-2, plugging in a USB hard drive > still gives me: > > brw-rw---- 1 root disk 8, 0 2006-12-30 15:30 /dev/sda > brw-rw---- 1 root disk 8, 1 2006-12-30 15:30 /dev/sda1 > > What class of USB devices are ending up under group plugdev that shouldn't? It concerns the raw USB devices, in /dev/bus/usb/, used by libusb for userland drivers. At the time where it was in /prob/bus/usb/, I believe only devices with no kernel driver were available there, but it seems no longer the case. In your example, you could probably have full access to the disk using a userland mass-storage driver (there is such a thing floating around on the web). Regards, -- Nicolas George
signature.asc
Description: Digital signature
