On 07/08/2014 03:45 AM, Oliver Grawert wrote: > Am Montag, den 07.07.2014, 22:45 +0200 schrieb Alexander Sack: >> On Mon, Jul 7, 2014 at 12:43 PM, Oliver Grawert <o...@ubuntu.com> wrote: >>> hi, >>> >>> with RTM approaching quickly we are working on the developer mode to >>> make it act in a more secure manner. the following changes were >>> discussed with the security team and will be implemented soon ... this >>> will require a bunch of changes in out external tools that use adb >>> access for tests or development (smoke testing, SDK access etc) as well >>> as for the general developer: >>> >>> 1) adb will be disabled by default. you will have to hand over the >>> --developer-mode option while flashing to override this behavior (see >>> sergios mail from the 23rd) >>> >>> 2) adb will not allow root and only let you in as phablet user (you will >>> have to use sudo like on any other ubuntu installation when doing >>> administrative tasks) >>> >>> 3) on request of the security team it should not be possible to enable >>> adb access if there is no password or the default password set for the >>> phablet user so that there is no predictable sudo password that is >>> identical on all devices. there are still a few blockers that prevent us >>> from finishing this bit (more on that below). >>> >>> 4) you will be able to switch developer mode on/off in the >>> system-settings in a sub page of the "about this device" section [1]. >>> >>> the first bit (1) is already implemented but will need some extension to >>> actually set a specific password (i.e. ubuntu-device-flash >>> --developer-mode --password="mynewpw") >> >> I assume with this you cannot change the password after the fact >> without wiping the user data on the device? >> > we can not wipe the device just because the user updates the > password ... > >> Related, if you enable developer mode and haven't changed the password >> (e.g. you cannot become root), there is no way you can access >> application user data? > > see the UI design, the switch to enable dev mode will be unresponsive > unless you have set a new non empty password that is not the default > one. (the same goes for ubuntu-device-flash it will not allow using > --developer-mode without also using --password) > To be clear, we are wanting to support devices that are 'ro' but with adb enabled, right? Ie, I don't want to have to opt out of system-image updates just cause I enabled adb and/or a sudo password. It would be great if 'rw' was treating separately from the other things.
-- Jamie Strandboge http://www.ubuntu.com/
signature.asc
Description: OpenPGP digital signature
-- Mailing list: https://launchpad.net/~ubuntu-phone Post to : ubuntu-phone@lists.launchpad.net Unsubscribe : https://launchpad.net/~ubuntu-phone More help : https://help.launchpad.net/ListHelp
