I have already covered how to configure
usbguard-daemon IPC access control in a previous post.
However, the 0.7.0 release introduced another way to configure the same thing with more control over who can do what.
Previously, one could only enable a user or group to use the whole IPC interface. With the new ACL system, the access can be limited to specific sections of the interface and specific privileges inside that section.
The available sections and privileges are:
- Section: Devices
modify: Change authorization state of devices including permanent changes (i.e. modification of device specific rules in the policy).
list: Ability to get a list of recognized devices and their attributes.
listen: Listen to device presence and device policy changes.
- Section: Policy
modify: Append rules to or remove any rules from the poli‐ cy.
list: Ability to view the currently enforced policy.
- Section: Exceptions
listen: Receive exception messages.
- Section: Parameters
modify: Set values of run‐time parameters.
list: Get values of run‐time parameters.
To use this new system, you first have to modify the usbguard-daemon configuration and set the
IPCAccessControlFiles setting to point to a location where the ACL definition files will be stored, for example:
Once set, you can use the usbguard CLI to define the ACL. For example:
$ sudo usbguard add-user joe --devices ALL --policy list,listen --exceptions ALL
That command will enable user
joe to have full access to the
Exceptions sections. In addition,
joe will be able to list the policy and listen to policy signals.
To remove the definition, use:
$ sudo usbguard remove-user joe