ubuntu-phone team mailing list archive
-
ubuntu-phone team
-
Mailing list archive
-
Message #10617
Re: ANN: change to developer mode access criteria
On Tue, Nov 25, 2014 at 4:32 PM, Oliver Grawert <ogra@xxxxxxxxxx> wrote:
> hi,
>
> Am Dienstag, den 25.11.2014, 10:19 -0800 schrieb Steve Langasek:
>> On Tue, Nov 25, 2014 at 10:30:17AM +0100, Oliver Grawert wrote:
>>
>> > Am Dienstag, den 25.11.2014, 10:17 +0100 schrieb Martin Pitt:
>> > > Oliver Grawert [2014-11-24 19:13 +0100]:
>> > > > if you try to connect while the screen is locked adb will return
>> > > > "error: closed"
>>
>> > > This would again mean that we can't run unattended tests on devices,
>> > > as adb is our one and only foot into the door, and we need it in order
>> > > to automatically unlock Unity. So chicken - egg again.
>>
>> > > Since adb doesn't run by default anyway, and one has to explicitly
>> > > enable it with "developer mode", what's the thing that we are trying
>> > > to prevent here?
>>
>> > please see
>> > https://wiki.ubuntu.com/SecurityAndPrivacySettings/ProtectingUserData
>>
>> > (it is also linked from the bug i pointed to)
>>
>> As we discussed at the last client sprint, however, it is *not* a
>> requirement that the screen be unlocked to connect over adb. The
>> requirement is that unknown hosts, when connecting, get approved (via the
>> certificate path) before they're allowed in. That requires the phone to be
>> unlocked in the interactive case, because the user needs to get past the
>> lock screen to approve the connection. But denying adb connections
>> /because/ the screen is locked is not a requirement, and is not actually a
>> stepping stone towards the target solution.
>
> yes, this was planned at the last sprint with all stakeholders in the
> meeting (as sergio pointed out above) the solution demanded from
> security until we have cert handling in place (which is supposed to be
> ready by vivid feature freeze with the new android-tools upstream
> version etc) is that the screen state gets checked before establishing
> the shell connection though ... so for RTM this is the solution we
> have ...
Yes, the support for certificates is the final solution, but until
that is done we need at least to try to prevent undesirable adb access
to the phone.
Once certificate is in place, this fix will be reverted and you'll be
able to use adb even when the screen is locked.
Cheers,
--
Ricardo Salveti de Araujo
References