summaryrefslogtreecommitdiff
path: root/git.mk
diff options
context:
space:
mode:
authorHans de Goede <hdegoede@redhat.com>2012-12-20 21:52:17 +0100
committerHans de Goede <hdegoede@redhat.com>2012-12-20 21:57:24 +0100
commit48b7acd5740a5524dd6d151d6bfc5978ae518c1e (patch)
tree73e338a18c1efab4da05d6e38ba592b4e71802a2 /git.mk
parent621732a3b666b0d36f8b1c4f4b904923952767bd (diff)
acl-helper policykit policy: Allow redir by default for console users
This makes usb-redir a lot more userfriendly to use. This has been discussed with the security team and they are ok with it, rationale: Since we only set <allow_active> to yes, we only give raw usb access to users *physically present behind the machine*. This is ok since they already have full control over usb devices anyways, they can always just unplug the device and put it in a user controlled machine. This follows how we already grant a great deal of access to users *physically present behind the machine* including dangerous things like /dev/sg access for cd/dvd writers. And raw usb access to all devices which happen to have a userspace driver rather then an in kernel driver. Also the opening up is limited compared to the existing opening up of other devices listed above in that: 1) It will only happen on machines which have spice-glib installed 2) We are not opening up the device nodes rights automatically, as an udev rule would do. So there is no chance that any random app can start (accidentally) poking the devices. Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Diffstat (limited to 'git.mk')
0 files changed, 0 insertions, 0 deletions