Your message dated Fri, 22 May 2026 17:04:32 +0000
with message-id <[email protected]>
and subject line Bug#1134751: fixed in usbguard 1.1.4+ds-4
has caused the Debian Bug report #1134751,
regarding IPCAllowedGroups grants plugdev full IPC access, voiding narrower
:plugdev control file
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1134751: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134751
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: usbguard
Version: 1.1.4+ds-2
Severity: important
Tags: security
Subject: IPCAllowedGroups grants plugdev full IPC access, voiding narrower
:plugdev control file
Patch 0001-Set-IPCAllowedGroups-to-root-plugdev.patch sets
IPCAllowedGroups=root plugdev.
postinst runs:
usbguard add-user -g plugdev --devices=modify,list,listen --policy=list
--exceptions=listen
producing /etc/usbguard/IPCAccessControl.d/:plugdev with no policy.modify
and no parameters.*.
Daemon::loadConfiguration processes IPCAllowedGroups (Daemon.cpp:244) before
IPCAccessControlFiles (Daemon.cpp:336). The first block calls
addIPCAllowedGroup(group) with USBGUARD_IPCSERVER_DEFAULT_AC
(Section::ALL, Privilege::ALL <Daemon.hpp:89>).
addAllowedGroupname (IPCServerPrivate.cpp:1024) uses emplace(), a no-op on
duplicate keys. The narrow AC from :plugdev is dropped; plugdev receives
ALL/ALL.
README.Debian claims "usbguard ignores the IPCAllowedGroups directive when
using control files", which is a lie.
Also: https://wiki.debian.org/SystemGroups scopes plugdev to
pmount-based mount/unmount of removable media (nodev,nosuid). This
packaging extends plugdev into USB security-policy administration.
Repro:
apt install usbguard
adduser --disabled-password --gecos '' t
usermod -aG plugdev t
systemctl start usbguard
sudo -u t usbguard append-rule 'allow id 1234:5678'
usbguard list-rules | grep 1234:5678
grep 1234:5678 /etc/usbguard/rules.conf
Fix prposal:
drop 0001-Set-IPCAllowedGroups-to-root-plugdev.patch; ship
IPCAllowedGroups= (empty) and rely on :plugdev.
Also: /usr/share/polkit-1/rules.d/org.usbguard1.rules grants plugdev and
sudo unauthenticated YES on org.usbguard.Policy1.appendRule,
org.usbguard1.setParameter, and org.usbguard.Devices1.applyDevicePolicy,
while upstream default for those actions is auth_admin (see
/usr/share/polkit-1/actions/org.usbguard1.policy). Same privilege
outcome as the IPC issue but via usbguard-dbus.service when there is
an active local session (same reason as in aforementioned IPC
issue: removeRule is not in the grant).
Fix proposal:
drop debian/org.usbguard1.rules, or narrow it to a dedicated group
(not plugdev) with the same scope as the intended
IPCAccessControlFiles AC.
Related: #978406
--- End Message ---
--- Begin Message ---
Source: usbguard
Source-Version: 1.1.4+ds-4
Done: Birger Schacht <[email protected]>
We believe that the bug you reported is fixed in the latest version of
usbguard, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Birger Schacht <[email protected]> (supplier of updated usbguard package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 22 May 2026 18:39:26 +0200
Source: usbguard
Architecture: source
Version: 1.1.4+ds-4
Distribution: unstable
Urgency: medium
Maintainer: Birger Schacht <[email protected]>
Changed-By: Birger Schacht <[email protected]>
Closes: 1134751
Changes:
usbguard (1.1.4+ds-4) unstable; urgency=medium
.
* Drop 0001-Set-IPCAllowedGroups-to-root-plugdev.patch
The `IPCAllowedGroups` config option is marked as legacy for ages,
so we drop the override and rely only on the access control file
configuration approach (Closes: #1134751)
Adapted the usbguard.README.Debian to only mention the
`IPCAccessControlFile`.
* Add usr/lib/tmpfiles.d/usbguard.conf to debian/usbguard.install
Checksums-Sha1:
da6f3caa7ac20b73898a610b5996b1ea4b0a66c1 2630 usbguard_1.1.4+ds-4.dsc
a8c89e8ea46791eba52765ffcc0aacc9431fb9f5 10460
usbguard_1.1.4+ds-4.debian.tar.xz
6da7c6074621c4d27c3a737f7bd0b0e9fdadec95 517268 usbguard_1.1.4+ds-4.git.tar.xz
dbfea1f79db96cb9e40487abf5762117fbfe122c 17438
usbguard_1.1.4+ds-4_source.buildinfo
Checksums-Sha256:
577fb748d899004043482b2a61473f9a9539787e47c3988a92c52613d791b8ad 2630
usbguard_1.1.4+ds-4.dsc
3d7987b7b2c6b418566b3d100d6b4bcf6256aae2857593b5940badfb506d82f1 10460
usbguard_1.1.4+ds-4.debian.tar.xz
b8366bda88af7413c31db98ff76c664356d514b731d3668eb2e71c36f22a2863 517268
usbguard_1.1.4+ds-4.git.tar.xz
77caf081e9333a980ae097200167ba8b4d9307a6af11aa721651caf7ea5f19a4 17438
usbguard_1.1.4+ds-4_source.buildinfo
Files:
a5da5a2e29d760a09e27307b9041f847 2630 utils optional usbguard_1.1.4+ds-4.dsc
e82937a0f0b04fc38fbbe4b303c2d8ce 10460 utils optional
usbguard_1.1.4+ds-4.debian.tar.xz
1a78341ee392a1eb811038bf2eafe226 517268 utils None
usbguard_1.1.4+ds-4.git.tar.xz
8ec7447685741bbadacb531fed2bb99d 17438 utils optional
usbguard_1.1.4+ds-4_source.buildinfo
Git-Tag-Info: tag=471f1631cc45128ec5da8bfa01287ad267926119
fp=3af0bcb67c26ac48ceb4e5bc2a0c5d60f204bdb0
Git-Tag-Tagger: Birger Schacht <[email protected]>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEN02M5NuW6cvUwJcqYG0ITkaDwHkFAmoQikQACgkQYG0ITkaD
wHmJnBAAyP/wK9BYjArarF9LdRUKJ3CY/mT12PjfFKQLyt9YsENhiunEoS0MIiKi
2eQfKG/kiRcueHvIT3PmctKczp7vJ9fqWsoE477IKkBSBdppoo+w9BjtsA9olDRr
HhqLVCzAGfl8Y8reuOa7Ap1zCPFIzFwYwJJgdVeFGzkdPfH5+PlENfSIdqPjUqRx
wT5aOppuKWKSHRa5796KDRmAoQlGStpTtqjeAB9h6jHxDr/32CInWD6LOmo7wehG
eZH7I3rpfKu+MKxS9SDwPYbG9zZJ459rs8+C2Utfdm2HitCi8zKMvuksalvpId8/
+noNM5y7zmD3qZUOpTeY4Potpht1Rab95LsbrnUT0wCOf8AH9tnMpzPdLtxzGw8W
UtvLpCSnhIGBTZQ8y+OPFWU40SJL7WZJ70WxiThk7490j/pTnuLLMBScJzzR/S3N
0iYvOipz6v6I0l1EaKizOMKEwbVknPlIq3Zn0YKYBfC3Fje5POibMnRKaks3O2Kb
7pDRsdo+ylVmt9JjOkBrZYPyBM/ECcX5M7k0eWrSvBV982pyEeTIf/EDM45p42Wd
P4ysg4O+CBrUzGjI7g/0lqJCdXXPq+5u656UCAqd1AdajIK/PaEXL/6hjPc8TkcV
5pKcnsr65OqQeBhfkSXStNmL74Gjtm5++HdBDdgEPqA5NO+2rMo=
=O+/y
-----END PGP SIGNATURE-----
pgpWXm6GME2pe.pgp
Description: PGP signature
--- End Message ---
