Ubuntu
usbguard package

USBGuard PPA possibly unsafe; needs an explicit safety notice

Asked by VanillaMozilla

I don't know if this is a documentation error or a serious software error. It could be dangerous. In the best case it's extremely disconcerting for potential users.

USBGuard can brick the user's computer by blocking the keyboard and mouse on installation. There are existing bug reports on this (e.g., https://bugs.launchpad.net/ubuntu/+source/usbguard/+bug/1809269 ). This bug appears to be fixed upstream in version 0.7.4+ds-1, but there is no indication that it is fixed for Bionic, Cosmic or earlier.

It's important for users to have confidence that the program is safe. One PPA for Ubuntu 16.04 ( https://launchpad.net/~pmjdebruijn/+archive/ubuntu/usbguard ) contains a prominent notice that a whitelist will be generated automatically on installation. (That's the preferred behavior. I can verify that the notice is correct.)

Other PPAs ( https://launchpad.net/ubuntu/+source/usbguard , https://launchpad.net/~ubuntu-desktop/+archive/ubuntu/usbguard , and https://launchpad.net/~altj/+archive/ubuntu/usbguard ) lack such assurance.

I suggest that the packages be pulled, unless someone can fix the PPA page and attest that it's safe to use. The preferred fix would be to test and fix if necessary, and attach the following notice to the PPA description. Without more assurance there's no way I would use the PPA.

"Experimental

"Package install will automatically generate a USB ID whitelist and immediately start protecting your system."

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu usbguard Edit question
Assignee:
No assignee Edit question
Solved by:
VanillaMozilla
Solved:
Last query:
Last reply:
Revision history for this message
Manfred Hampl (m-hampl) said : 		#1

I suggest that you open Bug #1809269 and click "this Bug affects me" in the top to set the bug Status to "confirmed", and then add comments to that bug report, requesting that the solution for disco etc. be backported to bionic.

Revision history for this message
VanillaMozilla (vanillamozilla) said : 		#2

Thanks. Done.

I'll tackle the documentation part separately, later. It appears that the version for xenial by Pascal de Bruijn may be the only one that automatically generates the whitelist and starts the daemon. Since this program is rather dangerous to use, I think they should include a brief note on its use in the package description ( https://launchpad.net/ubuntu/+source/usbguard ), similar to that in the de Bruijn PPA ( https://launchpad.net/~pmjdebruijn/+archive/ubuntu/usbguard ).

I also note a conspicuous lack of concise information on how to install and start it safely on Ubuntu. The Ubuntu Manpages ( http://manpages.ubuntu.com/manpages/bionic/en/man8/usbguard-daemon.8.html#name ) is detailed but lacks this basic information. The information is available for some other distros, but it appears that the method of use varies.