[prev in list] [next in list] [prev in thread] [next in thread]
List: gphoto
Subject: Re: [gphoto] Alternative way of setting usb user permissions for gphoto
From: Hans Ulrich Niedermann <gp () n-dimensional ! de>
Date: 2002-08-25 14:42:16
[Download RAW message or body]
Renchi Raju <renchi@green.tam.uiuc.edu> writes:
> > 1. This isn't easier to set up.
>
> I never claimed that it is easier to setup.
Good. Then we agree that the one advantage any alternative method
may have over linux-hotplug is not to be found here.
> > 2. This makes it possible for anybody with "camera" access to muck
> > around with *ANY* USB device.
> >
> > If you start doing stuff like that, I suggest running everything as
> > root. And you won't need passwords either.
>
> i am not really sure how exactly this is a security risk. I could be wrong and
> if so, anyone please correct me. what is wrong with a user getting
> permissions to handle all usb devices. Unless in case you want a specific
> user to handle only a specific device, in this case a camera.
Any member of the "usb" group will have unconditional access to any
device attached to the USB bus. Regardless of whether this is a
camera, a keyboard, a mass storage device, a smart card reader, a
robot control device, or whatever else.
And then a bug in any application accessing USB devices may do
arbitrary things with arbitrary devices - even if you only wanted to
access your camera in the first place. Tough luck.
And as there is no need for and not even an advantage in convenience,
I don't think this method should be promoted.
> > People who know enough about the security implications of this method
> > are able to find out how to do that on their own.
> >
> > And I will not provide the rope for everybody else to hang
> > themselves.
People who know what they are doing are free to do that - and they
won't even bother to read our documentation anyway.
But we describe the permission setup for people who do *not* know what
they are doing. And so we tell them what they have to do to get best
result for themselves with respect to both usability and security - at
no additional cost compared to more insecure methods.
> Hans, i respect you for all your contributions to gphoto. Don't make
> me loose that respect
Hmm? OK, I rather harshly disqualified your solution. I didn't intend
to disqualify you as person. But I thought to better say something
before somebody starts to believe that granting access to all USB
devices gives them any advantage.
Gruß,
Uli
--
See also: | http://n-dimensional.de/projects/digicam/
----------+ http://www.teaser.fr/~hfiguiere/linux/digicam.html
#gphoto on irc.openprojects.net http://sf.net/projects/gphoto
http://sf.net/projects/libusb http://sf.net/projects/libexif
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic