FS#76933 - [libindi] unrestricted access to USB-to-serial adapters

Attached to Project: Community Packages
Opened by Dmytro Bagrii (dimich) - Sunday, 25 December 2022, 17:06 GMT
Last edited by Antonio Rojas (arojas) - Saturday, 25 March 2023, 10:48 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To Antonio Rojas (arojas)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

libindi 1.9.9-1 installs udev rule which set access mode 0666 to /dev/ttyUSB* for many popular USB-to-serial adapters. This allows access plugged addapters for any unrestrictedly regardless of uucp group membership.

prepare() function in PKGBUILD tries to patch the rule with:

sed -e 's|GROUP="plugdev", MODE="0666"|TAG+="uaccess"|' -i indi-$pkgver/drivers/*/*.rules

but the pattern doesn't match in drivers/auxiliary/99-indi_auxiliary.rules:

SUBSYSTEMS=="usb", ATTRS{idVendor}=="134a", MODE="0666"
SUBSYSTEMS=="usb", ATTRS{idVendor}=="0403", MODE="0666"
SUBSYSTEMS=="usb", ATTRS{idVendor}=="067b", MODE="0666"
SUBSYSTEMS=="usb", ATTRS{idVendor}=="04d8", MODE="0666"
SUBSYSTEMS=="usb", ATTRS{idVendor}=="10c4", MODE="0666"
This task depends upon

Closed by  Antonio Rojas (arojas)
Saturday, 25 March 2023, 10:48 GMT
Reason for closing:  Upstream
Comment by Antonio Rojas (arojas) - Sunday, 25 December 2022, 21:57 GMT
Is there an upstream report for this?
Comment by Dmytro Bagrii (dimich) - Monday, 26 December 2022, 10:24 GMT
Created upstream report: https://github.com/indilib/indi/issues/1796
As there was attempt to patch it in PKGBUILD, i thought libindi vendors already know about the problem but won't fix it.

UPD (sorry, can't post new comment to closed task):
This `prepare()` function in PKGBUILD with attached patch partially fixes the issue at least in Arch:
```
prepare() {
cd indi-$pkgver
mv drivers/auxiliary/99-indi_auxiliary.rules drivers/auxiliary/70-indi_auxiliary.rules
patch -p1 < ../tty-usb-uaccess.patch
}

```
   tty-usb-uaccess.patch (1.6 KiB)
Comment by Antonio Rojas (arojas) - Thursday, 12 January 2023, 18:11 GMT
Ok, thanks. Closing this to let upstream handle this properly.
Comment by Dmytro Bagrii (dimich) - Saturday, 21 January 2023, 22:07 GMT
  • Field changed: Percent Complete (100% → 0%)
As expected, upstream won't fix.
Comment by Antonio Rojas (arojas) - Saturday, 21 January 2023, 22:16 GMT
where did you get that from?
Comment by Dmytro Bagrii (dimich) - Sunday, 22 January 2023, 10:01 GMT
Get what, answer from upstream or udev rules patch?
For upstream conversation please see https://github.com/indilib/indi/issues/1796. I can't guarantee proposed solution will work across distro.
The udev rules patch i wrote by myself and tested it in Arch. Probably it should be not a patch file but sed command as it was before, if upstream decide to add some other vendors.
Comment by Antonio Rojas (arojas) - Sunday, 22 January 2023, 17:16 GMT
> Get what, answer from upstream or udev rules patch?
"As expected, upstream won't fix."

I don't see anything leading to that conclusion on the upstream report.
Comment by Dmytro Bagrii (dimich) - Sunday, 22 January 2023, 19:20 GMT
I understood this:

> Many users are already suffering from being unable to access their USB devices due to all the restrictions and we don't want to make the users suffer unnecessarily.

as rejection to solve the issue. Sorry, maybe i'm too impatient. Let's wait for upstream resolution.

But... one package installs rules for unrestricted access to devices, another one will override presets, third one will install a backdoor. Little by little i gradually stop trusting the distro and become paranoid.
Comment by Antonio Rojas (arojas) - Saturday, 25 March 2023, 10:47 GMT
I checked other major distros and I didn't find any downstream change related to this. Slippery slope fallacies aside, this is something for upstream to deal with.

Loading...