Site Navigation

Date:      Mon, 8 Jan 2024 11:36:37 -0700
From:      Warner Losh <imp@bsdimp.com>
To:        Kyle Evans <kevans@freebsd.org>
Cc:        freebsd-current@freebsd.org
Subject:   Re: Move u2f-devd into base?
Message-ID:  <CANCZdfou_gt9J6gt1fUkzGS1ZbfT1Z64Oz8S52J5z%2Bc%2BCfBcVQ@mail.gmail.com>
In-Reply-To: <b38c7956-17d8-4c6a-a56a-42befdf35c17@FreeBSD.org>
References:  <ZZwLx1RxlY6xuvFV@lorvorc.mips.inka.de> <CANCZdfqpbL=QNgTwBveUpBooucX2MbfZnR9dw4w25_TXYOyuDg@mail.gmail.com> <20240109013058.22807f3816603829316cef4c@dec.sakura.ne.jp> <b38c7956-17d8-4c6a-a56a-42befdf35c17@FreeBSD.org>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

--000000000000fdd7a0060e737a5d
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Mon, Jan 8, 2024 at 9:35=E2=80=AFAM Kyle Evans <kevans@freebsd.org> wrot=
e:

> On 1/8/24 10:30, Tomoaki AOKI wrote:
> > On Mon, 8 Jan 2024 08:18:38 -0700
> > Warner Losh <imp@bsdimp.com> wrote:
> >
> >> On Mon, Jan 8, 2024, 7:55=E3=80=93AM Christian Weisgerber <naddy@mips.=
inka.de>
> >> wrote:
> >>
> >>> We have FIDO/U2F support for SSH in base.
> >>>
> >>> We also have a group "u2f", 116, in the default /etc/group file.
> >>>
> >>> Why do we keep the devd configuration (to chgrp the device nodes)
> >>> in a port, security/u2f-devd?  Can't we just add this to base, too?
> >>> It's just another devd configuration file.
> >>>
> >>
> >> This properly belongs to devfs.conf no? Otherwise it's a race...
> >>
> >> Warner
> >>
> >> --
> >>> Christian "naddy" Weisgerber
> naddy@mips.inka.de
> >
> > It's devd.conf materials. It actually is security/usf-devd/files
> > u2f.conf and its contents is sets of notify 100 { match "vendor" ...
> > match "product" ... action "chgrpy u2f ..." };.
> > Some hase more items in it, though.
> >
> > So it should be in ports to adapt for latest products more quickly than
> > in base, I think.
> >
>
> I don't see any obvious reason that we can't compromise and have a
> baseline of products in base and just use the port for new products not
> yet known to base.  These vendors presumably aren't going to quickly
> repurpose some PID for a non-u2f thing, much less in a way that we care
> about.
>

Yea, I just wonder why it has to be devd.conf, and not devfs.conf. What are
we missing from that to make this doable generically? If we want it safe, w=
e
may need some additional work around the whole ugen thing it uses.

Warner

--000000000000fdd7a0060e737a5d
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr"><br></div><br><div class=3D"gmail_quote">=
<div dir=3D"ltr" class=3D"gmail_attr">On Mon, Jan 8, 2024 at 9:35=E2=80=AFA=
M Kyle Evans &lt;<a href=3D"mailto:kevans@freebsd.org">kevans@freebsd.org</=
a>&gt; wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0p=
x 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On=
 1/8/24 10:30, Tomoaki AOKI wrote:<br>
&gt; On Mon, 8 Jan 2024 08:18:38 -0700<br>
&gt; Warner Losh &lt;<a href=3D"mailto:imp@bsdimp.com" target=3D"_blank">im=
p@bsdimp.com</a>&gt; wrote:<br>
&gt; <br>
&gt;&gt; On Mon, Jan 8, 2024, 7:55=E3=80=93AM Christian Weisgerber &lt;<a h=
ref=3D"mailto:naddy@mips.inka.de" target=3D"_blank">naddy@mips.inka.de</a>&=
gt;<br>
&gt;&gt; wrote:<br>
&gt;&gt;<br>
&gt;&gt;&gt; We have FIDO/U2F support for SSH in base.<br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; We also have a group &quot;u2f&quot;, 116, in the default /etc=
/group file.<br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; Why do we keep the devd configuration (to chgrp the device nod=
es)<br>
&gt;&gt;&gt; in a port, security/u2f-devd?=C2=A0 Can&#39;t we just add this=
 to base, too?<br>
&gt;&gt;&gt; It&#39;s just another devd configuration file.<br>
&gt;&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt; This properly belongs to devfs.conf no? Otherwise it&#39;s a race.=
..<br>
&gt;&gt;<br>
&gt;&gt; Warner<br>
&gt;&gt;<br>
&gt;&gt; -- <br>
&gt;&gt;&gt; Christian &quot;naddy&quot; Weisgerber=C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 <a href=
=3D"mailto:naddy@mips.inka.de" target=3D"_blank">naddy@mips.inka.de</a><br>
&gt; <br>
&gt; It&#39;s devd.conf materials. It actually is security/usf-devd/files<b=
r>
&gt; u2f.conf and its contents is sets of notify 100 { match &quot;vendor&q=
uot; ...<br>
&gt; match &quot;product&quot; ... action &quot;chgrpy u2f ...&quot; };.<br=
>
&gt; Some hase more items in it, though.<br>
&gt; <br>
&gt; So it should be in ports to adapt for latest products more quickly tha=
n<br>
&gt; in base, I think.<br>
&gt; <br>
<br>
I don&#39;t see any obvious reason that we can&#39;t compromise and have a =
<br>
baseline of products in base and just use the port for new products not <br=
>
yet known to base.=C2=A0 These vendors presumably aren&#39;t going to quick=
ly <br>
repurpose some PID for a non-u2f thing, much less in a way that we care <br=
>
about.<br></blockquote><div><br></div><div>Yea, I just wonder why it has to=
 be devd.conf, and not devfs.conf. What are</div><div>we missing from that =
to make this doable generically? If we want it safe, we</div><div>may need =
some additional work around the whole ugen thing it uses.</div><div><br></d=
iv><div>Warner=C2=A0</div></div></div>

--000000000000fdd7a0060e737a5d--

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CANCZdfou_gt9J6gt1fUkzGS1ZbfT1Z64Oz8S52J5z%2Bc%2BCfBcVQ>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact