995795 – [spice-gtk] /usr/bin/spice-client-glib-usb-acl-helper doesn't have the Setuid bit set

Bug 995795 - [spice-gtk] /usr/bin/spice-client-glib-usb-acl-helper doesn't have the Setuid bit set

Summary: [spice-gtk] /usr/bin/spice-client-glib-usb-acl-helper doesn't have the Setuid...

Status:	RESOLVED DUPLICATE of bug 744251

Alias:	None

Product:	openSUSE Tumbleweed
Classification:	openSUSE
Component:	Virtualization:Tools (show other bugs)
Version:	Current
Hardware:	x86-64 Other

Priority:	P5 - None Severity: Normal (vote)
Target Milestone:	---
Assignee:	Cédric Bosdonnat
QA Contact:	E-mail List

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2016-08-26 14:21 UTC by Forgotten User eM2q2k8ki3
Modified:	2016-08-30 14:32 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
virt-manager USB redirection error (784.78 KB, image/png) 2016-08-26 14:21 UTC, Forgotten User eM2q2k8ki3	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Forgotten User eM2q2k8ki3 2016-08-26 14:21:47 UTC

Created attachment 689694 [details]
virt-manager USB redirection error

Background:

I'm using virt-manager with QEMU-KVM and Spice on Tumbleweed. The guest OS is Windows 7 (though this problem should be present with any guest OS).

I want to redirect an USB device from my host to my guest using the GUI. However, upon selecting the desired device from the list and entering my password, the operation fails with error "Error setting facl: Operation not permitted" (see attached screenshot.

Upon setting the Setuid bit on the spice-client-glib-usb-acl-helper binary, the redirection operation completes successfully.

I used the command "sudo chmod u+s /usr/bin/spice-client-glib-usb-acl-helper" to do so.

See the following forum discussion to see other people having this problem: https://forums.opensuse.org/showthread.php/501434-Can-t-redirect-USB-to-QEMU-KVM-guest

Comment 1 Cédric Bosdonnat 2016-08-30 12:48:05 UTC

Security team, how do you feel about this?

Comment 2 Forgotten User eM2q2k8ki3 2016-08-30 13:51:17 UTC

In the case it's relevant:

After setting the Setuid bit on /usr/bin/spice-client-glib-usb-acl-helper, PolicyKit still asks for authentication before doing any USB redirection, as defined in file org.spice-space.lowlevelusbaccess.policy (also contained in the spice-gtk package), reproduced below.

~ $ cat /usr/share/polkit-1/actions/org.spice-space.lowlevelusbaccess.policy
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC
	  "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
	  "http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd">
<policyconfig>

  <vendor>The Spice Project</vendor>
  <vendor_url>http://spice-space.org/</vendor_url>
  <icon_name>spice</icon_name>

  <action id="org.spice-space.lowlevelusbaccess">
    <description>Low level USB device access</description>
    <message>Privileges are required for low level USB device access (for usb device pass through).</message>
    <defaults>
      <allow_any>auth_admin</allow_any>
      <allow_inactive>no</allow_inactive>
      <allow_active>auth_admin</allow_active>
    </defaults>
  </action>

</policyconfig>

Comment 3 Cédric Bosdonnat 2016-08-30 14:32:11 UTC

Found a dupe

*** This bug has been marked as a duplicate of bug 744251 ***