Page MenuHomeSolus
Create Task
Maniphest T9734

spice-gtk: USB redirection error
Closed, ResolvedPublic
Actions

Description

Using any of software (like gnome-boxes, ...) using spice-gtk (R2947) , USB redirection to guest OS fails. This is because one of the helpers has not setuid bit.

The Issue appears while spice-gtk is build with polkit support, as says a note in the source package.

Steps to Reproduce:

  1. Use non-root user login system.
  2. Launch virt-manager, input password for authentication. Or gnome-boxes, or any software that uses spice-gtk
  3. Configure a guest and try usb redirection in settings.
  4. Error shows:

spice-client-glib-usb-helper: Error setting facl: Operation not permitted

Workaround:
setuid (chmod 4755) the file /usr/lib64/spice-gtk/spice-client-glib-usb-acl-helper

The Fedora project does it here, line 166 of their spec:
https://src.fedoraproject.org/rpms/spice-gtk//blob/rawhide/f/spice-gtk.spec#_166

Same issue appeared in Arch:
https://bugs.archlinux.org/task/69428
Resolved by commit:
https://github.com/archlinux/svntogit-community/commit/206238fa474bcbb7fe4621ff310a2a78887f380c#diff-3e341d2d9c67be01819b25b25d5e53ea3cdf3a38d28846cda85a195eb9b7203a

However, one can use other means than setuid to fix this issue, using capapiblity «cap_fowner»:
https://gitlab.freedesktop.org/spice/spice-gtk/-/merge_requests/42

Thanks.

Revisions and Commits

R2947 spice-gtk
D11138R2947:3ebf93c3ff96 spice-gtk: set suid bit on usb redirection helper, fixes T9734

Event Timeline

be1 created this task.May 20 2021, 7:39 PM
be1 renamed this task from spice-gtk: USB redirection error, suid should be set in post-install. to spice-gtk: USB redirection error.May 20 2021, 7:42 PM
be1 updated the task description. (Show Details)
ReillyBrogan added a subscriber: ReillyBrogan.May 21 2021, 12:05 AM
be1 added a comment.May 21 2021, 12:26 AM

I'm okay to be assigned to that, but I don't know if i have rights to modify or propose modifications to R2947.

ReillyBrogan added a comment.May 21 2021, 1:04 AM

@be1 That repo doesn't have a maintainers.md file so it's more or less fair game for anyone to modify. You just need to make sure that your updated package is well-tested with whatever depends on that package (which you can find out with eopkg info spice-gtk). Since you're just making a permission change on one of the bundled files and not something extensive that testing does not need to be exhaustive.

be1 added a comment.May 21 2021, 12:50 PM

Thanks.
I tried the following command in install block:

setcap CAP_FOWNER=+ep $installdir/usr/lib64/spice-gtk/spice-client-glib-usb-acl-helper

but, despite there is no error reported at build time, the resulted extracted binary package doesn't contain the capability attribute.
Maybe the attribute is not kept in the archive file format ?

However, using

chmod 4755 $installdir/usr/lib64/spice-gtk/spice-client-glib-usb-acl-helper

is okay, but this is not optimal.

I don't know how to set a command to be executed at package install time. Thanks for your comments.

be1 claimed this task.May 21 2021, 2:30 PM

I've pushed an arc diff of the fix.

be1 added a revision: D11138: spice-gtk: set suid bit on usb redirection helper, fixes T9734.May 21 2021, 3:26 PM
JoshStrobl triaged this task as Normal priority.May 28 2021, 8:53 PM
JoshStrobl moved this task from Backlog to Package Fixes on the Software board.
DataDrake closed this task as Resolved by committing R2947:3ebf93c3ff96: spice-gtk: set suid bit on usb redirection helper, fixes T9734.May 30 2021, 3:08 PM
DataDrake added a commit: R2947:3ebf93c3ff96: spice-gtk: set suid bit on usb redirection helper, fixes T9734.
Copyright © 2015-2021 Solus Project. The Solus logo is Copyright © 2016-2021 Solus Project. All Rights Reserved.