search

valpackett / evscript

A tiny sandboxed Dyon scripting environment for evdev input devices that lets you do e.g. xcape in Wayland | now on https://codeberg.org/valpackett/evscript
https://codeberg.org/valpackett/evscript
The Unlicense
121 stars 7 forks source link

Possible security improvements #14

Open hendursaga opened 2 years ago

hendursaga commented 2 years ago

Although I see you've done an impressive job containing this program, I think it's possible to do even better, at least, on Linux. Instead of setuid root, perhaps setgid input for handling /dev/input/*? As for /dev/uinput, I'm not sure - this article adds a new group uinput as well as udev rules, but I don't think you can setgid a program for multiple groups, correct? I don't think assigning /dev/uinput to group input would be the best choice - isn't it for reading from input devices, and not writing?

Any thoughts?

valpackett commented 2 years ago

Is the "input group" even a universal thing across distros? I don't really use Linux so I'm generally afraid to make any such changes. (Also I don't use this project actively anymore.)

don't think you can setgid a program for multiple groups, correct?

Yeah, can't do that from the filesystem.

hendursaga commented 2 years ago

Is the "input group" even a universal thing across distros?

I'm not entirely sure about that, but for all of my systems (Debian), it is. I was mostly talking about adding the possibility of using more restricted permissions to the end of the installation docs for users who might desire that.

As for /dev/uinput, I'm not sure how to proceed. Perhaps do what the article suggested? Right now the current group is root. Perhaps I could sometime test things out and report how well it works or doesn't?