Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 666748

Summary: app-crypt/libu2f-host - /dev/hidraw* device nodes get wrong permissions
Product: Gentoo Linux Reporter: Fabio Coatti <fabio.coatti>
Component: Current packagesAssignee: Marek Szuba <marecki>
Status: RESOLVED OBSOLETE    
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Fabio Coatti 2018-09-22 09:23:53 UTC 
Hi, I have a Yubico Security Key by Yubico device, identified as follows:
hid-generic 0003:1050:0120.0007: hiddev1,hidraw4: USB HID v1.10 Device [Yubico Security Key by Yubico] on usb-0000:00:14.0-6/input0
if I run ykman info as root, I get the expected result:
Device type: FIDO U2F Security Key
Serial number: Not set or unreadable
Firmware version: 4.3.3
Enabled USB interfaces: FIDO

Applications
OTP             Not available
FIDO U2F        Enabled      
OpenPGP         Not available
PIV             Not available
OATH            Not available
FIDO2           Not available

However, as user it does not work:
Error: Failed connecting to the YubiKey.

looking ad hidraw permissions, it seems that permissions are not ok:

crw-rw---- 1 root plugdev 244, 3 Sep 22 07:49 /dev/hidraw3
crw------- 1 root root    244, 4 Sep 22 11:08 /dev/hidraw4

forcing plugdev group and 664, the key is accessible as user.
the udev rule is (in /etc/udev/rules.d/70-u2f.rules)
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0113|0114|0115|0116|0120|0402|0403|0406|0407|0410", TAG+="uaccess"
and it gets triggered (cheched with a script), however it seems that uaccess part is ignored.
I've digged a bit and systemd seems compiled with right options,at least for what I can understand:
systemd 239 running in system mode. (+PAM +AUDIT -SELINUX +IMA -APPARMOR +SMACK -SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT -GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID -ELFUTILS +KMOD -IDN2 +IDN +PCRE2 default-hierarchy=hybrid)
can someone give me some hints about how to proceed in understanding this behaviour? I can figure out some changes in the udev rule, but it seems a bit a dirty workaround to me.
thnaks


Reproducible: Always




Portage 2.3.49 (python 3.5.5-final-0, default/linux/amd64/17.1/desktop/plasma/systemd, gcc-8.2.0, glibc-2.27-r6, 4.18.9-cova x86_64)
=================================================================
System uname: Linux-4.18.9-cova-x86_64-Intel-R-_Core-TM-_i7-6820HQ_CPU_@_2.70GHz-with-gentoo-2.6
KiB Mem:    65296272 total,  58318712 free
KiB Swap:    8388604 total,   8388604 free
Timestamp of repository gentoo: Sat, 22 Sep 2018 08:24:21 +0000
Head commit of repository gentoo: 976d19f1d60606c65a4e31010c4c052c33d7fae3

sh bash 4.4_p23
ld GNU ld (Gentoo 2.31.1 p1) 2.31.1
app-shells/bash:          4.4_p23::gentoo
dev-java/java-config:     2.2.0-r4::gentoo
dev-lang/perl:            5.26.2::gentoo
dev-lang/python:          2.7.15::gentoo, 3.4.8-r1::gentoo, 3.5.5-r1::gentoo, 3.6.6::gentoo, 3.7.0::gentoo
dev-util/cmake:           3.12.2::gentoo
dev-util/pkgconfig:       0.29.2::gentoo
sys-apps/baselayout:      2.6-r1::gentoo
sys-apps/sandbox:         2.13::gentoo
sys-devel/autoconf:       2.13::gentoo, 2.69-r4::gentoo
sys-devel/automake:       1.11.6-r3::gentoo, 1.13.4-r2::gentoo, 1.16.1-r1::gentoo
sys-devel/binutils:       2.31.1::gentoo
sys-devel/gcc:            8.2.0-r2::gentoo
sys-devel/gcc-config:     2.0::gentoo
sys-devel/libtool:        2.4.6-r5::gentoo
sys-devel/make:           4.2.1-r4::gentoo
sys-kernel/linux-headers: 4.17::gentoo (virtual/os-headers)
sys-libs/glibc:           2.27-r6::gentoo
Repositories:

gentoo
    location: /usr/portage
    sync-type: git
    sync-uri: https://anongit.gentoo.org/git/repo/sync/gentoo.git
    priority: -1000
    sync-git-verify-commit-signature: yes

kde
    location: /var/lib/layman/kde
    sync-type: laymansync
    sync-uri: https://github.com/gentoo/kde.git
    masters: gentoo
    priority: 50

pypi
    location: /var/lib/layman/pypi
    sync-type: laymansync
    sync-uri: gs-pypi pypi
    masters: gentoo
    priority: 50

torbrowser
    location: /var/lib/layman/torbrowser
    sync-type: laymansync
    sync-uri: https://github.com/MeisterP/torbrowser-overlay.git
    masters: gentoo
    priority: 50

vmware
    location: /var/lib/layman/vmware
    sync-type: laymansync
    sync-uri: https://anongit.gentoo.org/git/proj/vmware.git
    masters: gentoo
    priority: 50

local
    location: /usr/overlay
    masters: gentoo
    priority: 51

ACCEPT_KEYWORDS="amd64 ~amd64"
ACCEPT_LICENSE="* -@EULA"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=native -O3 -fgraphite-identity -floop-nest-optimize -ftree-loop-distribution -flto=4 -fuse-linker-plugin -pipe -fpie -fpic -fstack-protector-strong"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/lib64/libreoffice/program/sofficerc /usr/share/config /usr/share/easy-rsa /usr/share/gnupg/qualified.txt /usr/share/sddm/scripts/Xsetup"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CXXFLAGS="-march=native -O3 -fgraphite-identity -floop-nest-optimize -ftree-loop-distribution -flto=4 -fuse-linker-plugin -pipe -fpie -fpic -fstack-protector-strong"
DISTDIR="/usr/portage/distfiles"
ENV_UNSET="DBUS_SESSION_BUS_ADDRESS DISPLAY PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs clean-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync multilib-strict news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="http://distfiles.gentoo.org"
LANG="en_IE.utf8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed -march=native -O3 -fgraphite-identity -floop-nest-optimize -ftree-loop-distribution -flto=4 -fuse-linker-plugin -pipe -fpie -fpic -fstack-protector-strong -Wl,--as-needed -Wl,--hash-style=gnu"
LINGUAS="en it de"
MAKEOPTS="-j8"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"
PORTAGE_TMPDIR="/var/tmp"
USE="3dnow 3dnowext 3dnowprefetch X \ a52 aac aalib acl acpi activities aim alsa amd64 apng appstream ares asf ati audio audiofile avahi bash-completion berkdb bidi bl bluetooth branding bri bzip2 cairo caps cdda cdr cjk cli crypt cups curl cxx dba dbus declarative device-mapper dga divx divx4linux dri dts dv dvb dvd dvdr dvdread eap-sim edl egl emboss encode ethereal evdev exif expat faad fam fame fbcon ffmpeg fftw flac force-cgi-redirect fortran ftp gallium garmin gd gdbm gif gimp glamor gmedia gmp gnutls gphoto2 gpm gps gsm gtk h264 h323 iconv icq icu idn ifp ilbc imagemagick imap innodb ipod iproute2 ipv6 ithreads jabber java javascript joystick jpeg kde kipi kontact kvm kwallet lastfm lcms ldap libnotify libtirpc libvirtd live lm_sensors lua lvm lxc lzma lzo mad maildir matroska mbox mdnsresponder-compat mhash mime mjpeg mmap mmx mmxext mng modules mozdevelop mozilla mp3 mp4 mpeg msn mtp multilib mysql ncurses network networkmanager new-hpcups nfsv4 njb nls nptl nptlonly nsplugin offensive ofx ogg oggvorbis ogm openal openexr opengl openmp oscar pam pango parted pcap pcre pdf phonon php plasma plotutils png policykit ppds pulseaudio qemu qml qt5 readline real rtc ruby samba sasl sdl seccomp semantic-desktop semantic-destkop sha512 sip slang slp smartcard sndfile snmp sox speex spell srt sse sse2 ssh ssl ssse3 startup-notification svg symlink systemd tcltk tcpd telepathy theora threads tiff tk touchpad tremor truetype udev udisks unicode upower usb utempter v4l v4l2 vaapi vcd vde vdpaum vhosts video videos vim-syntax virt-network virtualbox vorbis vulkan wav wayland webkit widgets wifi wmf wmp wps wxwidgets wxwindows x264 xanim xattr xcb xcomposite xface xft xine xinerama xml xosd xpm xscreensaver xsl xv xvid zeroconf zlib zpm" ABI_X86="64 32" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="karbon plan sheets stage words" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="aes avx avx2 f16c fma3 mmx mmxext popcnt sse sse2 sse3 sse4_1 sse4_2 ssse3" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" GRUB_PLATFORMS="efi-64 pc" INPUT_DEVICES="libinput" KERNEL="linux" L10N="en it de en_IE" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LLVM_TARGETS="X86" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-6 php7-0" POSTGRES_TARGETS="postgres9_5 postgres10" PYTHON_SINGLE_TARGET="python3_6" PYTHON_TARGETS="python2_7 python3_4 python3_5 python3_6" QEMU_SOFTMMU_TARGETS="i386 x86_64" QEMU_USER_TARGETS="i386 x86_64" RUBY_TARGETS="ruby23 ruby24 ruby25" USERLAND="GNU" VIDEO_CARDS="i965 intel nvidia v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CC, CPPFLAGS, CTARGET, CXX, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 1 Fabio Coatti 2018-09-30 18:28:20 UTC 
After some investigation, this seems related to #667372, as downgrading to sys-apps/acl-2.2.52-r1 solves the problem.
Comment 2 Marek Szuba archtester gentoo-dev 2022-08-15 09:15:35 UTC 
libu2f-host udev rules have been setting mode 0660 on hidraw nodes for quite a while now.