Page MenuHomeSolus

spice-gtk: USB redirection error
Closed, ResolvedPublic

Description

Using any of software (like gnome-boxes, ...) using spice-gtk (R2947) , USB redirection to guest OS fails. This is because one of the helpers has not setuid bit.

The Issue appears while spice-gtk is build with polkit support, as says a note in the source package.

Steps to Reproduce:

  1. Use non-root user login system.
  2. Launch virt-manager, input password for authentication. Or gnome-boxes, or any software that uses spice-gtk
  3. Configure a guest and try usb redirection in settings.
  4. Error shows:

spice-client-glib-usb-helper: Error setting facl: Operation not permitted

Workaround:
setuid (chmod 4755) the file /usr/lib64/spice-gtk/spice-client-glib-usb-acl-helper

The Fedora project does it here, line 166 of their spec:
https://src.fedoraproject.org/rpms/spice-gtk//blob/rawhide/f/spice-gtk.spec#_166

Same issue appeared in Arch:
https://bugs.archlinux.org/task/69428
Resolved by commit:
https://github.com/archlinux/svntogit-community/commit/206238fa474bcbb7fe4621ff310a2a78887f380c#diff-3e341d2d9c67be01819b25b25d5e53ea3cdf3a38d28846cda85a195eb9b7203a

However, one can use other means than setuid to fix this issue, using capapiblity «cap_fowner»:
https://gitlab.freedesktop.org/spice/spice-gtk/-/merge_requests/42

Thanks.

Event Timeline

be1 renamed this task from spice-gtk: USB redirection error, suid should be set in post-install. to spice-gtk: USB redirection error.May 20 2021, 7:42 PM
be1 updated the task description. (Show Details)

I'm okay to be assigned to that, but I don't know if i have rights to modify or propose modifications to R2947.

@be1 That repo doesn't have a maintainers.md file so it's more or less fair game for anyone to modify. You just need to make sure that your updated package is well-tested with whatever depends on that package (which you can find out with eopkg info spice-gtk). Since you're just making a permission change on one of the bundled files and not something extensive that testing does not need to be exhaustive.

Thanks.
I tried the following command in install block:

setcap CAP_FOWNER=+ep $installdir/usr/lib64/spice-gtk/spice-client-glib-usb-acl-helper

but, despite there is no error reported at build time, the resulted extracted binary package doesn't contain the capability attribute.
Maybe the attribute is not kept in the archive file format ?

However, using

chmod 4755 $installdir/usr/lib64/spice-gtk/spice-client-glib-usb-acl-helper

is okay, but this is not optimal.

I don't know how to set a command to be executed at package install time. Thanks for your comments.

I've pushed an arc diff of the fix.

JoshStrobl triaged this task as Normal priority.May 28 2021, 8:53 PM
JoshStrobl moved this task from Backlog to Package Fixes on the Software board.