Matthias Gerstner
f5802a1cf0
(bsc#1197532). This prevents arbitrary users from meddling with TPM state and thus potential denial-of-service vectors. OBS-URL: https://build.opensuse.org/package/show/security/tpm2.0-abrmd?expand=0&rev=65
12 lines
679 B
Plaintext
12 lines
679 B
Plaintext
The tpm2-abrmd by upstream default allows every local users in the system to
|
|
access the TPM chip and modify its settings (bsc#1197532). Upstream suggests
|
|
to use the TPM's internal security features (e.g. password protection) to
|
|
prevent local users from manipulating the chip without authorization. Still
|
|
the default behaviour that every user in the system can access TPM features
|
|
without any authentication could come as a surprise to end users and system
|
|
integrators alike.
|
|
|
|
For this reason on SUSE only members of the 'tss' group are allowed to access
|
|
the tpm2-abrmd D-Bus interface, thereby mirroring the access permissions of
|
|
the /dev/tpm0 and /dev/tpmrm0 character devices.
|