FS#47995 - [steam] 80-steam-controller-permission.rules is a potential security problem!
Attached to Project:
Community Packages
Opened by Manuel Reimer (M-Reimer) - Tuesday, 02 February 2016, 18:00 GMT
Last edited by Buggy McBugFace (bugbot) - Saturday, 25 November 2023, 20:06 GMT
Opened by Manuel Reimer (M-Reimer) - Tuesday, 02 February 2016, 18:00 GMT
Last edited by Buggy McBugFace (bugbot) - Saturday, 25 November 2023, 20:06 GMT
|
Details
The steam controller driver, built into steam, runs as
regular user and as such requires usermode access to uinput.
This is what 80-steam-controller-permission.rules does.
The problem with this is, that it allows any software, running as regular user, to emulate a keyboard and maybe listen to other events to find out when the current session exits or the session is switched. This way malicous keypresses and commands can be sent to other users sessions. Currently the only way to get rid of this is to create an empty 80-steam-controller-permission.rules in /etc/udev/rules.d/ I think only a minority of the steam users use the steam controller and so I think it would be better if this feature would require some kind of "opt in" mechanism. Maybe create a new group "steamcontroller" and require the user to be added to this group to be able to use the steam controller. |
This task depends upon
Closed by Buggy McBugFace (bugbot)
Saturday, 25 November 2023, 20:06 GMT
Reason for closing: Moved
Additional comments about closing: https://gitlab.archlinux.org/archlinux/p ackaging/packages/steam/issues/2
Saturday, 25 November 2023, 20:06 GMT
Reason for closing: Moved
Additional comments about closing: https://gitlab.archlinux.org/archlinux/p ackaging/packages/steam/issues/2
I still think that it is *not* the majority of Steam users that also own the Steam controller and even if you own the Steam controller this doesn't mean that you use the Steam built-in driver. There are drivers available which run as "real" system daemon and make the Steam controller usable even without Steam at all.
The people, using the Steam controller with the Steam built-in driver, could easily add their user, they plan to use the controller with, to some group and all the other users (most probably the big majority) don't have to take this security risk.