Dear Security Team,
I think bug #1050493 concerning gnome-settings-daemon and usbguard represents
a security issue for people using usbguard. As later reported by me, I experienced this problem not only on dist upgrades.
-------- Forwarded Message --------
Subject: gnome-settings-daemon breaks existing usbguard rules, allowing all usb device by default
Date: Fri, 25 Aug 2023 11:18:06 +0200
From: John Livingston <
reportbug@john-livingston.fr>
To: Debian Bug Tracking System <
submit@bugs.debian.org>
Package: gnome-settings-daemon
Version: 43.0-4
Severity: normal
X-Debbugs-Cc:
reportbug@john-livingston.fr
Dear Maintainer,
I'm using USBguard to prevent attacks using bad usb devices. So i had some rules defined in /etc/usbguard/rules.conf, allowing only known usb devices.
This worked perfectly well in Debian Bullseye. When i connected a new usb device, i had first to allow it.
But since I upgraded to Bookworm, all usb devices are accepted by default. Making usbguard useless...
It seems this rule is added at runtime by gnome-settings-daemon:
https://gitlab.gnome.org/denittis/gnome-settings- daemon/blob/29ae1fb6b76a38f27a0875be0e3fffe0a904ea1e/plugins/usb- protection/gsd-usb-protection-manager.c#L145
This is really bad, as it disable a protection without any warning.
I found some documentation about this new behaviour:
https://wiki.archlinux.org/title/USBGuard (section "Gnome integration")
Seems i have to do:
gsettings set org.gnome.desktop.privacy usb-protection-level always
When upgrading from a previous version, it should detect if there are any rules already defined, and set the default level to always. Or at least warn the user somehow.
Best regards,
John
-- System Information:
Debian Release: 12.1
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-24-amd64 (SMP w/8 CPU threads)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages gnome-settings-daemon depends on:
ii gnome-settings-daemon-common 43.0-4
ii gsettings-desktop-schemas 43.0-1
ii libasound2 1.2.8-1+b1
ii libc6 2.36-9+deb12u1
ii libcairo2 1.16.0-7
ii libcanberra-gtk3-0 0.30-10
ii libcanberra0 0.30-10
ii libcolord2 1.4.6-2.2
ii libcups2 2.4.2-3+deb12u1
ii libfontconfig1 2.14.1-4
ii libgcr-base-3-1 3.41.1-1+b1
ii libgdk-pixbuf-2.0-0 2.42.10+dfsg-1+b1
ii libgeoclue-2-0 2.6.0-2
ii libgeocode-glib-2-0 3.26.3-6
ii libglib2.0-0 2.74.6-2
ii libgnome-desktop-3-20 43.2-2
ii libgtk-3-0 3.24.37-2
ii libgudev-1.0-0 237-2
ii libgweather-4-0 4.2.0-2
ii libmm-glib0 1.20.4-1
ii libnm0 1.42.4-1
ii libnotify4 0.8.1-1
ii libnspr4 2:4.35-1
ii libnss3 2:3.87.1-1
ii libpam-systemd [logind] 252.12-1~deb12u1
ii libpango-1.0-0 1.50.12+ds-1
ii libpangocairo-1.0-0 1.50.12+ds-1
ii libpolkit-gobject-1-0 122-3
ii libpulse-mainloop-glib0 16.1+dfsg1-2+b1
ii libpulse0 16.1+dfsg1-2+b1
ii libspa-0.2-bluetooth 0.3.65-3
ii libupower-glib3 0.99.20-2
ii libwacom9 2.6.0-1
ii libwayland-client0 1.21.0-1
ii libx11-6 2:1.8.4-2+deb12u1
ii libxext6 2:1.3.4-1+b1
ii libxfixes3 1:6.0.0-2
ii libxi6 2:1.8-1+b1
ii pipewire-audio 0.3.65-3
Versions of packages gnome-settings-daemon recommends:
ii iio-sensor-proxy 3.0-2
ii pipewire-audio 0.3.65-3
ii pkexec 122-3
ii x11-xserver-utils 7.7+9+b1
Versions of packages gnome-settings-daemon suggests:
ii usbguard 1.1.2+ds-3+b1
-- no debconf information
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)