Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#47995 - [steam] 80-steam-controller-permission.rules is a potential security problem!
Attached to Project:
Community Packages
Opened by Manuel Reimer (M-Reimer) - Tuesday, 02 February 2016, 18:00 GMT
Last edited by Doug Newgard (Scimmia) - Tuesday, 02 February 2016, 18:34 GMT
Opened by Manuel Reimer (M-Reimer) - Tuesday, 02 February 2016, 18:00 GMT
Last edited by Doug Newgard (Scimmia) - Tuesday, 02 February 2016, 18:34 GMT
|
DetailsThe steam controller driver, built into steam, runs as regular user and as such requires usermode access to uinput. This is what 80-steam-controller-permission.rules does.
The problem with this is, that it allows any software, running as regular user, to emulate a keyboard and maybe listen to other events to find out when the current session exits or the session is switched. This way malicous keypresses and commands can be sent to other users sessions. Currently the only way to get rid of this is to create an empty 80-steam-controller-permission.rules in /etc/udev/rules.d/ I think only a minority of the steam users use the steam controller and so I think it would be better if this feature would require some kind of "opt in" mechanism. Maybe create a new group "steamcontroller" and require the user to be added to this group to be able to use the steam controller. |
This task depends upon
I still think that it is *not* the majority of Steam users that also own the Steam controller and even if you own the Steam controller this doesn't mean that you use the Steam built-in driver. There are drivers available which run as "real" system daemon and make the Steam controller usable even without Steam at all.
The people, using the Steam controller with the Steam built-in driver, could easily add their user, they plan to use the controller with, to some group and all the other users (most probably the big majority) don't have to take this security risk.