Date: Mon, 8 Jan 2024 11:36:37 -0700 From: Warner Losh <imp@bsdimp.com> To: Kyle Evans <kevans@freebsd.org> Cc: freebsd-current@freebsd.org Subject: Re: Move u2f-devd into base? Message-ID: <CANCZdfou_gt9J6gt1fUkzGS1ZbfT1Z64Oz8S52J5z%2Bc%2BCfBcVQ@mail.gmail.com> In-Reply-To: <b38c7956-17d8-4c6a-a56a-42befdf35c17@FreeBSD.org> References: <ZZwLx1RxlY6xuvFV@lorvorc.mips.inka.de> <CANCZdfqpbL=QNgTwBveUpBooucX2MbfZnR9dw4w25_TXYOyuDg@mail.gmail.com> <20240109013058.22807f3816603829316cef4c@dec.sakura.ne.jp> <b38c7956-17d8-4c6a-a56a-42befdf35c17@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--000000000000fdd7a0060e737a5d Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Mon, Jan 8, 2024 at 9:35=E2=80=AFAM Kyle Evans <kevans@freebsd.org> wrot= e: > On 1/8/24 10:30, Tomoaki AOKI wrote: > > On Mon, 8 Jan 2024 08:18:38 -0700 > > Warner Losh <imp@bsdimp.com> wrote: > > > >> On Mon, Jan 8, 2024, 7:55=E3=80=93AM Christian Weisgerber <naddy@mips.= inka.de> > >> wrote: > >> > >>> We have FIDO/U2F support for SSH in base. > >>> > >>> We also have a group "u2f", 116, in the default /etc/group file. > >>> > >>> Why do we keep the devd configuration (to chgrp the device nodes) > >>> in a port, security/u2f-devd? Can't we just add this to base, too? > >>> It's just another devd configuration file. > >>> > >> > >> This properly belongs to devfs.conf no? Otherwise it's a race... > >> > >> Warner > >> > >> -- > >>> Christian "naddy" Weisgerber > naddy@mips.inka.de > > > > It's devd.conf materials. It actually is security/usf-devd/files > > u2f.conf and its contents is sets of notify 100 { match "vendor" ... > > match "product" ... action "chgrpy u2f ..." };. > > Some hase more items in it, though. > > > > So it should be in ports to adapt for latest products more quickly than > > in base, I think. > > > > I don't see any obvious reason that we can't compromise and have a > baseline of products in base and just use the port for new products not > yet known to base. These vendors presumably aren't going to quickly > repurpose some PID for a non-u2f thing, much less in a way that we care > about. > Yea, I just wonder why it has to be devd.conf, and not devfs.conf. What are we missing from that to make this doable generically? If we want it safe, w= e may need some additional work around the whole ugen thing it uses. Warner --000000000000fdd7a0060e737a5d Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable <div dir=3D"ltr"><div dir=3D"ltr"><br></div><br><div class=3D"gmail_quote">= <div dir=3D"ltr" class=3D"gmail_attr">On Mon, Jan 8, 2024 at 9:35=E2=80=AFA= M Kyle Evans <<a href=3D"mailto:kevans@freebsd.org">kevans@freebsd.org</= a>> wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0p= x 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On= 1/8/24 10:30, Tomoaki AOKI wrote:<br> > On Mon, 8 Jan 2024 08:18:38 -0700<br> > Warner Losh <<a href=3D"mailto:imp@bsdimp.com" target=3D"_blank">im= p@bsdimp.com</a>> wrote:<br> > <br> >> On Mon, Jan 8, 2024, 7:55=E3=80=93AM Christian Weisgerber <<a h= ref=3D"mailto:naddy@mips.inka.de" target=3D"_blank">naddy@mips.inka.de</a>&= gt;<br> >> wrote:<br> >><br> >>> We have FIDO/U2F support for SSH in base.<br> >>><br> >>> We also have a group "u2f", 116, in the default /etc= /group file.<br> >>><br> >>> Why do we keep the devd configuration (to chgrp the device nod= es)<br> >>> in a port, security/u2f-devd?=C2=A0 Can't we just add this= to base, too?<br> >>> It's just another devd configuration file.<br> >>><br> >><br> >> This properly belongs to devfs.conf no? Otherwise it's a race.= ..<br> >><br> >> Warner<br> >><br> >> -- <br> >>> Christian "naddy" Weisgerber=C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 <a href= =3D"mailto:naddy@mips.inka.de" target=3D"_blank">naddy@mips.inka.de</a><br> > <br> > It's devd.conf materials. It actually is security/usf-devd/files<b= r> > u2f.conf and its contents is sets of notify 100 { match "vendor&q= uot; ...<br> > match "product" ... action "chgrpy u2f ..." };.<br= > > Some hase more items in it, though.<br> > <br> > So it should be in ports to adapt for latest products more quickly tha= n<br> > in base, I think.<br> > <br> <br> I don't see any obvious reason that we can't compromise and have a = <br> baseline of products in base and just use the port for new products not <br= > yet known to base.=C2=A0 These vendors presumably aren't going to quick= ly <br> repurpose some PID for a non-u2f thing, much less in a way that we care <br= > about.<br></blockquote><div><br></div><div>Yea, I just wonder why it has to= be devd.conf, and not devfs.conf. What are</div><div>we missing from that = to make this doable generically? If we want it safe, we</div><div>may need = some additional work around the whole ugen thing it uses.</div><div><br></d= iv><div>Warner=C2=A0</div></div></div> --000000000000fdd7a0060e737a5d--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CANCZdfou_gt9J6gt1fUkzGS1ZbfT1Z64Oz8S52J5z%2Bc%2BCfBcVQ>