Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.
Sign upInconsistent handling of USB input devices (mouse and keyboard) #3722
Comments
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
marmarek
Mar 19, 2018
Member
See here: https://www.qubes-os.org/doc/usb/#security-warning-about-usb-input-devices
Having default "ask" action for keyboard would lower system security, because having mouse access, one can easily accept confirmation prompt, and then have keyboard access.
|
See here: https://www.qubes-os.org/doc/usb/#security-warning-about-usb-input-devices Having default "ask" action for keyboard would lower system security, because having mouse access, one can easily accept confirmation prompt, and then have keyboard access. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
shunju
Mar 19, 2018
But then you could also argue that mouse access enables you to navigate to /etc/qubes-rpc/policy/ and replace qubes.InputKeyboard with qubes.InputMouse. This may be a bit convoluted, but it’s not difficult:
– Right-click on the desktop
– Open in New Window (opens a file browser)
– Navigate to above-mentioned directory
– Copy qubes.InputMouse to new file
– “Rename” qubes.InputKeyboard to copy its filename, then delete the file
– Rename the copy of qubes.InputMouse to qubes.InputKeyboard
Doesn’t that amount to the same thing as clicking “Yes” in the confirmation dialog?
shunju
commented
Mar 19, 2018
|
But then you could also argue that mouse access enables you to navigate to Doesn’t that amount to the same thing as clicking “Yes” in the confirmation dialog? |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
marmarek
Mar 19, 2018
Member
It is much harder to do without visual feedback (sys-usb doesn't have one) - you don't know where file browser window will open, where will be various directories and files you need - this all depends on particular system configuration, including installed packages, current window layout etc.
|
It is much harder to do without visual feedback (sys-usb doesn't have one) - you don't know where file browser window will open, where will be various directories and files you need - this all depends on particular system configuration, including installed packages, current window layout etc. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
shunju
Mar 19, 2018
Okay, I assumed it would always open maximized, but it makes sense that this isn’t true for everyone. Assuming that it is in fact maximized and the user didn’t adjust the height of the top panel (or put the panel somewhere else entirely), going up to the / directory should be fairly simple. However, /etc is pretty full of stuff – as is /etc/qubes-rpc/policy – and I agree that the assumption that everything will always be in the same locations is a pretty bold one.
Anyway, since the absence of visual feedback is such a problem for an attack, why not randomize the position of the confirmation dialog? Another option would be to not put in the default target, i.e. only sys-usb dom0 ask for the keyboard?
shunju
commented
Mar 19, 2018
|
Okay, I assumed it would always open maximized, but it makes sense that this isn’t true for everyone. Assuming that it is in fact maximized and the user didn’t adjust the height of the top panel (or put the panel somewhere else entirely), going up to the / directory should be fairly simple. However, /etc is pretty full of stuff – as is /etc/qubes-rpc/policy – and I agree that the assumption that everything will always be in the same locations is a pretty bold one. Anyway, since the absence of visual feedback is such a problem for an attack, why not randomize the position of the confirmation dialog? Another option would be to not put in the default target, i.e. only |
andrewdavidwong
added
the
C: other
label
Mar 20, 2018
andrewdavidwong
added this to the Release 4.0 milestone
Mar 20, 2018
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Polygonbugs
Mar 20, 2018
But there is "screen lock" feature to limit potential mouse ability when you leave computer. Though, it is case when you are only using PS/2 or another connection type keyboard other than USB. See here, "https://www.qubes-os.org/doc/usb/#security-warning-about-usb-input-devices".
Polygonbugs
commented
Mar 20, 2018
|
But there is "screen lock" feature to limit potential mouse ability when you leave computer. Though, it is case when you are only using PS/2 or another connection type keyboard other than USB. See here, "https://www.qubes-os.org/doc/usb/#security-warning-about-usb-input-devices". |
andrewdavidwong
added
enhancement
C: qubes-manager
UX
and removed
C: other
labels
Mar 31, 2018
andrewdavidwong
modified the milestones:
Release 4.0,
Release 4.1
Mar 31, 2018
marmarta
referenced this issue
in QubesOS/qubes-manager
Apr 4, 2018
Merged
Removed useless action Attach Block Device from Qube Manager #87
marmarek
closed this
in
marmarek/qubes-manager@1969610
Apr 5, 2018
marmarek
reopened this
Apr 5, 2018
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
qubesos-bot
Jun 27, 2018
Automated announcement from builder-github
The package qubes-manager-4.0.18-1.fc25 has been pushed to the r4.0 testing repository for dom0.
To test this update, please install it with the following command:
sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing
qubesos-bot
commented
Jun 27, 2018
|
Automated announcement from builder-github The package |
shunju commentedMar 19, 2018
Qubes OS version:
R4.0-rc4
Affected component(s):
AdminVM:
/etc/qubes-rpc/policy/qubes.InputMouse/etc/qubes-rpc/policy/qubes.InputKeyboardSteps to reproduce the behavior:
Attach a USB mouse and a USB keyboard to a default installation of Qubes with sys-usb enabled.
Expected behavior:
Qubes asks for confirmation whether the device connected should be allowed to direct input at dom0.
Actual behavior:
USB mouse is used by default without confirmation, USB keyboard is not used and no prompt is opened.
General notes:
While I can follow the reasoning behind allowing USB mice, but not keyboards, I still think the current behavior violates the principle of least surprise. In fact, I had been using USB mice for a while and was wondering, why dom0 would just accept input from them, even though I had isolated it from the mouse with a sys-usb qube. Today, I wanted to connect a keyboard and it didn’t work. I connected it to another machine just to be sure that it is in fact working and then spent five minutes Googling until I finally found that the solution is as trivial as adding
sys-usb dom0 ask,default_target=dom0to/etc/qubes-rpc/policy/qubes.InputKeyboard.In light of the fact that a number of similar and related issues have been opened recently, I feel as if I’m not alone and a lot of users are confused by this behavior.
I would therefore like to ask the maintainers to reconsider this decision and advocate for putting
sys-usb dom0 ask,default_target=dom0into both the keyboard and the mouse configuration files.If this is declined, I would like to ask how the current state is more secure than putting above-mentioned line into the keyboard configuration by default.
Related issues:
#2491 USB mouse works without approval
#3126 allow qubes.InputKeyboard by default in sys-usb salt
#3481 No confirmation dialog when attaching USB mouse