Dear Security Team, I think bug #1050493 concerning gnome-settings-daemon and usbguard represents a security issue for people using usbguard. As later reported by me, I experienced this problem not only on dist upgrades.
-------- Forwarded Message -------- Subject: gnome-settings-daemon breaks existing usbguard rules, allowing all usb device by default Date: Fri, 25 Aug 2023 11:18:06 +0200 From: John Livingston <report...@john-livingston.fr> To: Debian Bug Tracking System <sub...@bugs.debian.org> Package: gnome-settings-daemon Version: 43.0-4 Severity: normal X-Debbugs-Cc: report...@john-livingston.fr Dear Maintainer, I'm using USBguard to prevent attacks using bad usb devices. So i had some rules defined in /etc/usbguard/rules.conf, allowing only known usb devices. This worked perfectly well in Debian Bullseye. When i connected a new usb device, i had first to allow it. But since I upgraded to Bookworm, all usb devices are accepted by default. Making usbguard useless... It seems this rule is added at runtime by gnome-settings-daemon: https://gitlab.gnome.org/denittis/gnome-settings- daemon/blob/29ae1fb6b76a38f27a0875be0e3fffe0a904ea1e/plugins/usb- protection/gsd-usb-protection-manager.c#L145 This is really bad, as it disable a protection without any warning. I found some documentation about this new behaviour: https://wiki.archlinux.org/title/USBGuard (section "Gnome integration") Seems i have to do: gsettings set org.gnome.desktop.privacy usb-protection-level always When upgrading from a previous version, it should detect if there are any rules already defined, and set the default level to always. Or at least warn the user somehow. Best regards, John -- System Information: Debian Release: 12.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-24-amd64 (SMP w/8 CPU threads) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages gnome-settings-daemon depends on: ii gnome-settings-daemon-common 43.0-4 ii gsettings-desktop-schemas 43.0-1 ii libasound2 1.2.8-1+b1 ii libc6 2.36-9+deb12u1 ii libcairo2 1.16.0-7 ii libcanberra-gtk3-0 0.30-10 ii libcanberra0 0.30-10 ii libcolord2 1.4.6-2.2 ii libcups2 2.4.2-3+deb12u1 ii libfontconfig1 2.14.1-4 ii libgcr-base-3-1 3.41.1-1+b1 ii libgdk-pixbuf-2.0-0 2.42.10+dfsg-1+b1 ii libgeoclue-2-0 2.6.0-2 ii libgeocode-glib-2-0 3.26.3-6 ii libglib2.0-0 2.74.6-2 ii libgnome-desktop-3-20 43.2-2 ii libgtk-3-0 3.24.37-2 ii libgudev-1.0-0 237-2 ii libgweather-4-0 4.2.0-2 ii libmm-glib0 1.20.4-1 ii libnm0 1.42.4-1 ii libnotify4 0.8.1-1 ii libnspr4 2:4.35-1 ii libnss3 2:3.87.1-1 ii libpam-systemd [logind] 252.12-1~deb12u1 ii libpango-1.0-0 1.50.12+ds-1 ii libpangocairo-1.0-0 1.50.12+ds-1 ii libpolkit-gobject-1-0 122-3 ii libpulse-mainloop-glib0 16.1+dfsg1-2+b1 ii libpulse0 16.1+dfsg1-2+b1 ii libspa-0.2-bluetooth 0.3.65-3 ii libupower-glib3 0.99.20-2 ii libwacom9 2.6.0-1 ii libwayland-client0 1.21.0-1 ii libx11-6 2:1.8.4-2+deb12u1 ii libxext6 2:1.3.4-1+b1 ii libxfixes3 1:6.0.0-2 ii libxi6 2:1.8-1+b1 ii pipewire-audio 0.3.65-3 Versions of packages gnome-settings-daemon recommends: ii iio-sensor-proxy 3.0-2 ii pipewire-audio 0.3.65-3 ii pkexec 122-3 ii x11-xserver-utils 7.7+9+b1 Versions of packages gnome-settings-daemon suggests: ii usbguard 1.1.2+ds-3+b1 -- no debconf information