The browser itself shouldn't have access to raw devices, as that means giving all programs running under your user the ability to flash your keyboard firmware.

The point of flatpak, wayland, etc is to prevent software from having access to everything. Making all USB devices readable and writable again circumvents the entire sandboxing concept of modern systems.

Windows and macOS allow access to USB devices for user programs. Linux by default does not allow access to USB devices, you need to chmod corresponding pseudo-file in /dev (or write udev rule to make it happen automatically). So when one uses WebUSB (or any other usb software) without root, it won't work immediately.

Modern Linux systems are more complex than that. E.g. if I plug in a USB drive and one of its partitions has permissions

    brw-rw---- 1 root disk 8, 2 Mar 14 11:51 /dev/sda2

I can still mount it even though I am not root or in the disk group. Why? Because many Linux desktops/apps can use polkit to get elevated access if a set of policy rules allow them to do so. E.g. there is typically a policy for udisks that allows clients in active sessions to mount filesystems.

Similarly, I can use fwupd to update the firmware of my machine without ever becoming root, but as a user I certainly don't have the device permissions to do it. So how? The system has a policy rule that says that every active, local user that is in the wheel group can run an update. The fwupd daemon that runs as root will then execute the update for the user.

What group does the browser run in. Surely it's the same group as the user, and has the same wheel privileges, no?

Being in the wheel group is not enough to write to the relevant device nodes. At any rate, my point was that device permissions and UID/GIDs alone do not determine whether a user or application can write to the device. Higher privileges can be mediated through polkit.

Missing the point entirely. You must still enable USB support from the site before it can see or interact with anything.

It has nothing to do with sites. You are missing the point. To access USB device with Linux, any software, including browser, should have permission to access certain files in /dev.

You visit a page. It asks for device access. You get a dialog box choosing the device that matches the filter the site wants. You can either choose a device or decline. Site does not see anything other than what you approve.

What is difficult about understanding that?

You're the one missing the forest for the trees. The security risk is not caused by websites, but by the fact that the browser can access your USB devices in the first place.

By giving the browser access to your USB devices, the browser could act as a keylogger even when you're using other applications.

Further, as there's no proper way to sandbox this, you wouldn't just be giving the browser keylogging capabilities, but any native app running under your user.

> The security risk is not caused by websites, but by the fact that the browser can access your USB devices in the first place.

Then you'd better uninstall your browser, because this is already the case right now.

The fact that Chrome makes use of that capability and Firefox does not constitute a privilege/security boundary.

On security focused distros, it obviously works in neither browser right now, because it's a fucking stupid idea.

You could have an elevated service that has separate configuration for which devices the user wants to grant access to, and it could even work as a proxy to disallow "bad" usage patterns. The interface to USB devices doesn't need to be directly with the kernel.

It's true though that it's difficult to ensure only a certain process has access to it, though the default value set to ptrace_scope by e.g. Ubuntu is a step towards helping that.. But in principle the service can know which executable is issuing the request.

All in all this seems quite a big effort for perhaps not that great benefit. In the meanwhile I'll be using Chromium for WebSerial and WebUSB needs.

Except the browser can't even see the device if it's even a vaguely secure operating system.

taking this from vial website

``` export USER_GID=`id -g`; sudo --preserve-env=USER_GID sh -c 'echo "KERNEL==\"hidraw\", SUBSYSTEM==\"hidraw\", ATTRS{serial}==\"vial:f64c2b3c*\", MODE=\"0660\", GROUP=\"$USER_GID\", TAG+=\"uaccess\", TAG+=\"udev-acl\"" > /etc/udev/rules.d/99-vial.rules && udevadm control --reload && udevadm trigger' ```

so that means the device can be read and written by the user and group, but not by others.

Yeah I have this udev rule, it fails to trigger properly and I think it might be because of what it thinks the user group and the web browser group is. I haven't fully debugged it, but I can tell you that this does not work for me

If you're on reasonably updated distribution, setting the GROUP in the udev rule might be causing issues. The [uaccess way][0] is to just set the TAG.

    SUBSYSTEMS=="usb", ATTRS{idVendor}=="vendor_id", ATTRS{idProduct}=="product_id", MODE="0660", TAG+="uaccess"

The Arch Wiki also has this note:

> For any rule adding the uaccess tag to be effective, the name of the file it is defined in has to lexically precede /usr/lib/udev/rules.d/73-seat-late.rules.

If your application is running as a different user, or in a Flatpak or snap, you may need some additional or alternative configuration.

[0]: https://wiki.archlinux.org/title/Udev#Allowing_regular_users...

Oh thanks for this

i'm just guessing here but maybe only chrome is asking that. if the malware is another program, no confirmation is required?