Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Rely on uaccess to control device access #297

Merged
merged 1 commit into from Nov 30, 2022

Conversation

skitt
Copy link
Contributor

@skitt skitt commented Nov 28, 2022

The udev rules currently make supported device nodes world-readable and writable, which means that any process on the system can read traffic from keyboards including passwords etc. To avoid this, while still allowing the "controlling" user to run g810-led without being root, this patch adds a uaccess tag; this ensures that the user at the console has write access to the devices. The mode is also changed to 660 to ensure that existing device nodes are fixed on upgrade.

Thanks to Xavi Drudis Ferran for bringing this to my attention.

Fixes: #293
Signed-off-by: Stephen Kitt steve@sk2.org

The udev rules currently make supported device nodes world-readable
and writable, which means that any process on the system can read
traffic from keyboards including passwords etc. To avoid this, while
still allowing the "controlling" user to run g810-led without being
root, this patch adds a uaccess tag; this ensures that the user at the
console has write access to the devices. The mode is also changed to
660 to ensure that existing device nodes are fixed on upgrade.

Thanks to Xavi Drudis Ferran for bringing this to my attention.

Fixes: MatMoul#293
Signed-off-by: Stephen Kitt <steve@sk2.org>
@carnil
Copy link

carnil commented Nov 29, 2022

Crossreference to downstream report in Debian: https://bugs.debian.org/1024998

@carnil
Copy link

carnil commented Nov 30, 2022

CVE-2022-46338 has been assigned for this issue.

@MatMoul MatMoul merged commit cb3e552 into MatMoul:develop Nov 30, 2022
@MatMoul
Copy link
Owner

MatMoul commented Nov 30, 2022

Thank for providing a good solution.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants