Closed brphilly closed 2 years ago
Hi @brphilly,
a quick look at the code reveals that the error message is produced at… https://github.com/USBGuard/usbguard/blob/87e5c2dac79ca6edbe500391436aa565b59304a1/src/Daemon/Daemon.cpp#L466-L472 … which means that function parseIPCAccessControlFilename
threw an exception. The way I read function parseIPCAccessControlFilename
at… https://github.com/USBGuard/usbguard/blob/87e5c2dac79ca6edbe500391436aa565b59304a1/src/Daemon/Daemon.cpp#L446-L457 … it seems to be okay with both filename formats user:group
and user
but it then calls out to checkIPCAccessControlName
for an empty group name, which then checkIPCAccessControlName
forwards to checkAccessControlName
at… https://github.com/USBGuard/usbguard/blob/87e5c2dac79ca6edbe500391436aa565b59304a1/src/Daemon/Daemon.cpp#L441-L444 …, which in turn forwards to isValidName
at… https://github.com/USBGuard/usbguard/blob/64f7169ed346ed61fa5f25dafd897db4fa746ea0/src/Library/public/usbguard/IPCServer.cpp#L33-L42 …, which rejects empty strings at… https://github.com/USBGuard/usbguard/blob/b15ef713a9ac47e84525bbf829c7f444b84c3c81/src/Common/Utility.cpp#L546-L554 … (since commit b15ef713a9ac47e84525bbf829c7f444b84c3c81 introduce with release 1.1.0) which explains this problem.
So one possible fix would be to adjust function parseIPCAccessControlFilename
to only call out to checkIPCAccessControlName(group)
when group
is non-empty. Does that make sense?
Best, Sebastian
@brphilly any chance you could try if pull request #541 fully fixes this problem for you?
@brphilly any chance you could try if pull request #541 fully fixes this problem for you?
Just compiled this PR and can confirm it fixed the problem. The logs now show
[1646502018.264] (i) Loading IPC access control files at /etc/usbguard/IPCAccessControl.d
[1646502018.264] (T) Utility.cpp@361/loadFiles: L: brady : /etc/usbguard/IPCAccessControl.d/brady
[1646502018.264] (i) Loading IPC access control file /etc/usbguard/IPCAccessControl.d/brady
[1646502018.264] (T) Daemon.cpp@1090/addIPCAllowedUser: user=brady
and everything seems to work. Thanks so much for the quick fix!
@brphilly thanks for testing and reporting back! :+1:
@radosroka any chance for a release 1.1.1 with the regression fix from PR #541 ?
@radosroka any chance for a release 1.1.1 with the regression fix from PR #541 ?
@radosroka I'm currently considering to backport PR #541 in Gentoo packaging of USBGuard but since it's a regression fix from 1.0.0, all distros should ideally have this patch and not need to accumulate distro-agnostic patches. Any chance you could cut release 1.1.1 from Git master
?
@radosroka any chance for a release 1.1.1 with the regression fix from PR #541 ?
@radosroka I'm currently considering to backport PR #541 in Gentoo packaging of USBGuard but since it's a regression fix from 1.0.0, all distros should ideally have this patch and not need to accumulate distro-agnostic patches. Any chance you could cut release 1.1.1 from Git
master
?
I'll do it later today.
I'll do it later today.
@radosroka awesome, thank you! :+1:
Ever since upgrading to usbguard 1.1.0, I'm getting this error
ERROR: IPC connect: service=usbguard: Operation not permitted
when trying to use usbguard as my user. I ranusbguard-daemon -d
and the logs showedThe file
/etc/usbguard/IPCAccessControl.d/brady
was created byand it has the correct permissions.
I saw #479 and thought maybe that is causing the issue. I'm using Arch Linux in case it matters.