Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: modifying and disabling the udev rules #288

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

feat: modifying and disabling the udev rules #288

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
8c8d3d7
feat: modifying and disabling the udev rules
boredsquirrel Sep 23, 2024
fa3e16f
Merge branch 'master' into udev-rules-changes
boredsquirrel Oct 20, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 33 additions & 1 deletion software/nitropy/linux/udev.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
Setting up The udev Rules
Setting Up The udev Rules
=========================

To be able to access your devices without root privileges, nitropy requires the
Expand All @@ -23,3 +23,35 @@ After installing the rules, you need to reload them::
If you still cannot access your device, try again after rebooting your system.
If you encouter issues, look at this `github comment <https://github.com/Nitrokey/pynitrokey/issues/167#issuecomment-1024921046>`__
for some debugging hints.

Modifying The udev Rules
========================

The downloaded ruleset gives any unprivileged user app the permissions to update and modify all available Nitrokeys. This is a necessary privilege escalation to use the apps without root, but comes with the downside of weakening the protection of your key.

You can modify the ruleset, which requires root access::

sudoedit /etc/udev/rules.d/41-nitrokey.rules

Here you can comment out blocks or rules that you don't need, like rules for other keys you dont use. Do this by placing ``#`` in front of the each line.

Example::

# # USB SmartCard Readers
# ## Crypto Stick 1.2
# ATTR{idVendor}=="20a0", ATTR{idProduct}=="4107", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", TAG+="uaccess"

Disabling the udev Rules
========================

Only do this if you dont want to write anything to the key, inclusing new passkeys or GPG keys. This increases security, for example when using it primarily to verify HEADS.

To disable the rules, and prevent any user app from modifying your key, simply rename the file with the "move" command::

sudo mv /etc/udev/rules.d/41-nitrokey.rules /etc/udev/rules.d/41-nitrokey.rules.disabled
sudo udevadm control --reload-rules && sudo udevadm trigger

To enable them again, for example once a firmware update is there, reverse the command::

sudo mv /etc/udev/rules.d/41-nitrokey.rules.disabled /etc/udev/rules.d/41-nitrokey.rules
sudo udevadm control --reload-rules && sudo udevadm trigger