4597baeb9cb214220b3fb8807c6a52c05451515fc9c31987b67649a9e5ca108f
The tpm2-abrmd by upstream default allows every local users in the system to access the TPM chip and modify its settings (bsc#1197532). Upstream suggests to use the TPM's internal security features (e.g. password protection) to prevent local users from manipulating the chip without authorization. Still the default behaviour that every user in the system can access TPM features without any authentication could come as a surprise to end users and system integrators alike. For this reason on SUSE only members of the 'tss' group are allowed to access the tpm2-abrmd D-Bus interface, thereby mirroring the access permissions of the /dev/tpm0 and /dev/tpmrm0 character devices.
Description
Languages
Diff
100%