[Pkg-libvirt-maintainers] Bug#764894: Bug#764894: virt-manager: USB devices are generally redirected to VMs

Christoph Anton Mitterer calestyo at scientia.net
Sun Oct 12 17:00:01 UTC 2014 

On Sun, 2014-10-12 at 14:46 +0200, Guido Günther wrote: 
> severity 764894 important

To be honest, I'm quite surprised (or should I say shocked) how much
this "culture" of hiding away serious issues has taken it's way serious
issues.

1) critical & grave are basically the only real way for a user to see
about such issues on upgrade (when using apt-listbugs)
2) not having stuff moved to testing is probably just what one want (at
least if the affected versions aren't in yet)
3) having an issue release critical is probably again just what one
wants, if the issue is severe enough to justify it as that

and apart from that

4) I'd guess no-one would "count" the number of grave/critical bugs to
denigrate their maintainers. It's quite clear that packages like
iceweasel or likely also VM related stuff will out of their always have
more serious bugs open than something like the "tree" package.
This if course doesn't mean in any way that their maintainers would be
less capable or less passionate or whatever.



And the two issues in this bug quite clearly qualify for being severe
enough.
It's basically as if firefox would export parts of your harddisk to some
(e.g. https) websites automatically, just that this would affect even
more users.
No one would expect such behaviour, no one could say "well you triggered
that yourself by going to an https site" and especially no one would
accept if it was exporting data (and had the capability to) from
anywhere on the system ... like other users.
But that's basically what happens here, imagine that people still have
multi-user-systems (not everything in the world is a tablet),... now I
stick in some USB stick, and while the other user is doing stuff with
his VMs, it's exported to it. Even though root, never mounted it for one
of the two, or gave permissions on the device.



> You can turn off usb auto redirecton in virt-manager's preferences. I
> I'm open for discussion to changing this to off by default
Well I don't think that this solves either of the two bugs I've reported
here.

AFAIU you mean the option in Edit/Preference/New VM/Add spice USB
redirection, right?
AFAICS this only controls what happens on the VM (i.e. server-side),...
and for the server it's absolutely no security problem to allow
redirections (since it's not his USB devices, but the client's).

The two problems we have here:
a) virt-manager (and perhaps virt-viewer as well?) exports the device
unconditionally, as long as it's allowed by the server (but a rogue
server will of course always allow).
On the VM window, there is the "Virtual Machine/Redirect USB Device"
menu entry, but here my devices are exported before I even go there.

b) The second, IMHO even more severe issue is:
Why does a normal user get permissions to redirect USB devices?
Even if virt-manager behaves buggy as described in (1), the user still
shouldn't have any permissions by default that polkit grants him access
to the USB device.
And access to the "full" USB device is granted! Not only to e.g. the
users own files on some filesystem *on* the USB device (in case it was a
mass storage device).


> but until
> then please let's not block the testing migration (the version in
> jessie is affected by the same bug).
Well I already expected that which I wrote (2) above, but IMHO we have
some problem here than with the migration procedures.
Or will it migrate if we mark the current testing version as affected as
well?
Cause then we could keep the current severity, mark the testing version
and still have the new one migrated.


Oh and btw: Do you know where the issue (b) comes from? I'd guess it's
polkit, or rather some rules added by some package to it,... is it
spice-client-glib-usb-acl-helper as I've guessed (my polkit knowledge is
a little bit rusty ^^),... cause then I could clone the bug there and
every package could just deal with its own part of the two issues here.



Cheers,
Chris.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5313 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-libvirt-maintainers/attachments/20141012/e324a6ce/attachment.bin>

More information about the Pkg-libvirt-maintainers mailing list