Date: Thu, 2 Dec 2004 12:05:09 +0100 From: Hans Petter Selasky <hselasky@c2i.net> To: Craig Rodrigues <rodrigc@crodrigues.org> Cc: freebsd-usb@freebsd.org Subject: Re: Changing permissions of /dev/usb[n] to 664? Message-ID: <20041202120509.A277@curly.tele2.no> In-Reply-To: <20041130064837.GA1541@crodrigues.org>; from rodrigc@crodrigues.org on Tue, Nov 30, 2004 at 01:48:37AM -0500 References: <20041107064227.GA79915@crodrigues.org> <20041107.125814.34760598.imp@bsdimp.com> <20041130064837.GA1541@crodrigues.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Nov 30, 2004 at 01:48:37AM -0500, Craig Rodrigues wrote: > On Sun, Nov 07, 2004 at 12:58:14PM -0700, M. Warner Losh wrote: > > This looks good, but we should audit all the ioctls to make sure the > > ones that modify anything have the proper checks to make sure the fd > > was opened for write. > > OK. Here is another iteration of the patch. > It does the following: > - opens /dev/usb[n] as 664 > - puts suser() permission checks in the following paths: > USB_REQUEST ioctl() > usbpoll() > usbread() You don't need /dev/usb to be accessable by non-root users, to run usbdevs. That way you only need to check suser() when unit == USB_DEV_MINOR. usbpoll should return zero on error? What if a user which belongs to the group "operator" tries to open /dev/usbX and uses the ioctl USB_REQUEST? > > This is what a non-root user can and cannot do on /dev/usb[n]: > > Allowed > ======= > USB_DISCOVER > USB_DEVICEINFO > USB_DEVICESTATS > usbopen() > usbclose() > > Forbidden > ========= > USB_REQUEST > usbread() > usbpoll() > > The result of this patch is that a non-root user can > run usbdevs without a problem. > > I also have a small test program where I tried running > different ioctl's as non-root and this is the output I got: > > Executing ioctl(): USB_REQUEST Operation not permitted > Executing ioctl(): USB_DISCOVER...OK > Executing ioctl(): USB_DEVICEINFO...OK > Executing ioctl(): USB_DEVICESTATS...OK > > Comments? > Yours -HPS
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041202120509.A277>