On Tue, 21 Jan 2014 11:28:03 -0800 Ryan Ware <[email protected]> said:
> Tue, Jan 21, 2014 at 2:01 AM, Jussi Laako <[email protected]>wrote: > > > On 21.1.2014 10:38, José Bollo wrote: > > > >> IMHO, SDB is integrated with the developer tools and that is really > >> good. But it is not sure at all: you can become root on the device > >> without being asked for any password, just a USB cable is needed. Also > >> SDB is a component that is not common, not proven, not linked to PAM, > >> and, that must be maintained at our cost. Just my 2 coins. > >> > > > > SDB should require enabling developer mode on the device itself, it > > shouldn't be enabled by default. Just like ADB (or whatever it was called) > > on my Android devices. I've enabled it once to flash CyanogenMOD. > > > > SDB should definitely not be on by default. Doing so goes against a number > of different security principals including reducing attackable surface area > and least privilege. sure - but same applies for ssh. the difference is that when i enable developer mode on my device. do some work, go to lunch with my phone and someone borrows it for 10 mins (plugs into usb and starts messing around) they can do so with no auth at all. zero. if sdb were to turn off every time a phone is unplugged we'll have insanely annoyed developers continually finding menus to turn it on and eventually deciding tizen is is more pain than anything else. if they use ssh they can set up password access and/or ssh key access so it's only accessible to the authorized developer, regardless if they leave developer mode on or not. the bonus over sdb now is that ssh can also work over wifi AND over usb, so access is possible without plugging in - again - authorized only. if they don't actively use this it should time out after maybe a week of inactivity (no successful login). if anything sdb should be locked down and restricted far more than ssh due to its lack of any auth of its own. -- Carsten Haitzler (The Rasterman) <[email protected]> _______________________________________________ Dev mailing list [email protected] https://lists.tizen.org/listinfo/dev
