Public bug reported:

Given that, from the outside, LCDd is just a proxy translating TCP
traffic to traffic on a /dev node, it being completely unconstrained by
systemd's permissions controls on Ubuntu Linux 24.04.4 LTS is all risk,
no reward.

I've opened a feature request upstream for them to provide at least a
suggested service file (https://github.com/lcdproc/lcdproc/issues/227)
but, given that there's a 9-year gap between the latest release (2017)
and the development HEAD (2 days ago), I thought it best to also ask the
maintainer for the package I'm applying overrides to.

To start discussion, I'm attaching my
`/etc/systemd/system/lcdproc.service.d/override.conf`, categorized by
what should Just Work™ for everyone, what should Just Work™ with the
default configuration that binds to `127.0.0.1`, and what should Just
Work™ for anyone using a Serial or USB-Serial LCD.

(Aside from a Logitech G15 with a broken key that I don't have with me
at the moment, I don't have any parallel, USB-HID, or other non-
Serial/USBSerial LCDs to test with to determine what beyond
`Group=dialout` would be needed, but it should just be a matter of
adding an appropriate `/etc/udev/rules.d/*.rules` file as has become a
commonplace requirement for niche hardware.)

It takes the exposure score from `9.6 UNSAFE 😨` to `1.2 OK 🙂` with the
main big things remaining being the lack of a /dev ACL (I haven't read
up on how to log which devices it's accessing) and the not-yet-taken
opportunity to add systemd services for `lcdproc` and `lcdexec` so that
`PrivateNetwork=yes` and `JoinsNamespaceOf=` become an option.

** Affects: lcdproc (Ubuntu)
     Importance: Undecided
         Status: New

** Attachment added: "/etc/systemd/system/lcdproc.service.d/override.conf"
   
https://bugs.launchpad.net/bugs/2159559/+attachment/5980081/+files/override.conf

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2159559

Title:
  systemd unit is far too lenient

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lcdproc/+bug/2159559/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to