Chinese translated version of Documentation/usb/authorization.txt
If you have any comment or update to the content, please contact the
original document maintainer directly. However, if you have a problem
communicating in English you can also ask the Chinese maintainer for
help. Contact the Chinese maintainer if this translation is outdated
or if there is a problem with the translation.
Maintainer: Eric W. Biederman <ebiederman@xmission.com>
Chinese maintainer: Shao Qi <shaoqitony@gmail.com>
---------------------------------------------------------------------
Documentation/usb/authorization.txt 的中文翻译
如果想评论或更新本文的内容,请直接联系原文档的维护者。如果你使用英文
交流有困难的话,也可以向中文版维护者求助。如果本翻译更新不及时或者翻
译存在问题,请联系中文版维护者。
英文版维护者: Eric W. Biederman <ebiederman@xmission.com>
中文版维护者: 邵奇 Shao Qi <shaoqitony@gmail.com>
中文版翻译者: 邵奇 Shao Qi <shaoqitony@gmail.com>
中文版校译者: 邵奇 Shao Qi <shaoqitony@gmail.com>
以下为正文
---------------------------------------------------------------------
Authorizing (or not) your USB devices to connect to the system
授权(或没有)你的USB设备与系统连接
(C) 2007 Inaky Perez-Gonzalez <inaky@linux.intel.com> Intel Corporation
This feature allows you to control if a USB device can be used (or
not) in a system. This feature will allow you to implement a lock-down
of USB devices, fully controlled by user space.
如果USB设备能(或不能)在系统中使用,此功能允许你控制它。此功能将让你
锁定USB设备,完全被用户空间控制。
As of now, when a USB device is connected it is configured and
its interfaces are immediately made available to the users. With this
modification, only if root authorizes the device to be configured will
then it be possible to use it.
截至目前,当USB设备被连接,它会被配置并且它的接口被立即提供给用户。
此修改,只有root授权设备配置,然后,可以使用。
Usage:
用途:
Authorize a device to connect:
授权设备连接:
$ echo 1 > /sys/bus/usb/devices/DEVICE/authorized
Deauthorize a device:
取消设备的授权:
$ echo 0 > /sys/bus/usb/devices/DEVICE/authorized
Set new devices connected to hostX to be deauthorized by default (ie:
lock down):
默认情况下,取消新的连接到hostX的设备的授权(即:锁定):
$ echo 0 > /sys/bus/usb/devices/usbX/authorized_default
Remove the lock down:
接触锁定:
$ echo 1 > /sys/bus/usb/devices/usbX/authorized_default
By default, Wired USB devices are authorized by default to
connect. Wireless USB hosts deauthorize by default all new connected
devices (this is so because we need to do an authentication phase
before authorizing).
默认情况下,有限USB设备被授权连接。无线USB主机默认情况下,取消所有新
设备连接的授权(这是因为在授权前有一个验证阶段)。
Example system lockdown (lame)
例如系统锁定(不完全的)
-----------------------
Imagine you want to implement a lockdown so only devices of type XYZ
can be connected (for example, it is a kiosk machine with a visible
USB port):
试想一下,你想实现一个锁定,但只有XYZ星设备能被连接(例如,这是一个
有可见USB端口的自助服务终端机):
boot up
rc.local ->
for host in /sys/bus/usb/devices/usb*
do
echo 0 > $host/authorized_default
done
Hookup an script to udev, for new USB devices
为新的USB设备连接脚本到udev
if device_is_my_type $DEV
then
echo 1 > $device_path/authorized
done
Now, device_is_my_type() is where the juice for a lockdown is. Just
checking if the class, type and protocol match something is the worse
security verification you can make (or the best, for someone willing
to break it). If you need something secure, use crypto and Certificate
Authentication or stuff like that. Something simple for an storage key
could be:
现在,device_is_my_type()是一个锁定的果汁(???).你能检查class、type和protocol
的更差的安全性(如果有人愿意中断他,或许是最好的)。如果你需要一些安全的东西,
用加密和证书验证或是像那样填充。简单的存储秘钥可以是:
function device_is_my_type()
{
echo 1 > authorized # temporarily authorize it
# FIXME: make sure none can mount it
mount DEVICENODE /mntpoint
sum=$(md5sum /mntpoint/.signature)
if [ $sum = $(cat /etc/lockdown/keysum) ]
then
echo "We are good, connected"
umount /mntpoint
# Other stuff so others can use it
else
echo 0 > authorized
fi
}
Of course, this is lame, you'd want to do a real certificate
verification stuff with PKI, so you don't depend on a shared secret,
etc, but you get the idea. Anybody with access to a device gadget kit
can fake descriptors and device info. Don't trust that. You are
welcome.
当然,这是不完整的,你若想做一个真正的PKI填充的证书验证,不要用共享的
加密方式,等,但是获得了点子。任何能访问设备工具套件的人可以假造描述和
设备信息。不要相信。不客气。
If you have any comment or update to the content, please contact the
original document maintainer directly. However, if you have a problem
communicating in English you can also ask the Chinese maintainer for
help. Contact the Chinese maintainer if this translation is outdated
or if there is a problem with the translation.
Maintainer: Eric W. Biederman <ebiederman@xmission.com>
Chinese maintainer: Shao Qi <shaoqitony@gmail.com>
---------------------------------------------------------------------
Documentation/usb/authorization.txt 的中文翻译
如果想评论或更新本文的内容,请直接联系原文档的维护者。如果你使用英文
交流有困难的话,也可以向中文版维护者求助。如果本翻译更新不及时或者翻
译存在问题,请联系中文版维护者。
英文版维护者: Eric W. Biederman <ebiederman@xmission.com>
中文版维护者: 邵奇 Shao Qi <shaoqitony@gmail.com>
中文版翻译者: 邵奇 Shao Qi <shaoqitony@gmail.com>
中文版校译者: 邵奇 Shao Qi <shaoqitony@gmail.com>
以下为正文
---------------------------------------------------------------------
Authorizing (or not) your USB devices to connect to the system
授权(或没有)你的USB设备与系统连接
(C) 2007 Inaky Perez-Gonzalez <inaky@linux.intel.com> Intel Corporation
This feature allows you to control if a USB device can be used (or
not) in a system. This feature will allow you to implement a lock-down
of USB devices, fully controlled by user space.
如果USB设备能(或不能)在系统中使用,此功能允许你控制它。此功能将让你
锁定USB设备,完全被用户空间控制。
As of now, when a USB device is connected it is configured and
its interfaces are immediately made available to the users. With this
modification, only if root authorizes the device to be configured will
then it be possible to use it.
截至目前,当USB设备被连接,它会被配置并且它的接口被立即提供给用户。
此修改,只有root授权设备配置,然后,可以使用。
Usage:
用途:
Authorize a device to connect:
授权设备连接:
$ echo 1 > /sys/bus/usb/devices/DEVICE/authorized
Deauthorize a device:
取消设备的授权:
$ echo 0 > /sys/bus/usb/devices/DEVICE/authorized
Set new devices connected to hostX to be deauthorized by default (ie:
lock down):
默认情况下,取消新的连接到hostX的设备的授权(即:锁定):
$ echo 0 > /sys/bus/usb/devices/usbX/authorized_default
Remove the lock down:
接触锁定:
$ echo 1 > /sys/bus/usb/devices/usbX/authorized_default
By default, Wired USB devices are authorized by default to
connect. Wireless USB hosts deauthorize by default all new connected
devices (this is so because we need to do an authentication phase
before authorizing).
默认情况下,有限USB设备被授权连接。无线USB主机默认情况下,取消所有新
设备连接的授权(这是因为在授权前有一个验证阶段)。
Example system lockdown (lame)
例如系统锁定(不完全的)
-----------------------
Imagine you want to implement a lockdown so only devices of type XYZ
can be connected (for example, it is a kiosk machine with a visible
USB port):
试想一下,你想实现一个锁定,但只有XYZ星设备能被连接(例如,这是一个
有可见USB端口的自助服务终端机):
boot up
rc.local ->
for host in /sys/bus/usb/devices/usb*
do
echo 0 > $host/authorized_default
done
Hookup an script to udev, for new USB devices
为新的USB设备连接脚本到udev
if device_is_my_type $DEV
then
echo 1 > $device_path/authorized
done
Now, device_is_my_type() is where the juice for a lockdown is. Just
checking if the class, type and protocol match something is the worse
security verification you can make (or the best, for someone willing
to break it). If you need something secure, use crypto and Certificate
Authentication or stuff like that. Something simple for an storage key
could be:
现在,device_is_my_type()是一个锁定的果汁(???).你能检查class、type和protocol
的更差的安全性(如果有人愿意中断他,或许是最好的)。如果你需要一些安全的东西,
用加密和证书验证或是像那样填充。简单的存储秘钥可以是:
function device_is_my_type()
{
echo 1 > authorized # temporarily authorize it
# FIXME: make sure none can mount it
mount DEVICENODE /mntpoint
sum=$(md5sum /mntpoint/.signature)
if [ $sum = $(cat /etc/lockdown/keysum) ]
then
echo "We are good, connected"
umount /mntpoint
# Other stuff so others can use it
else
echo 0 > authorized
fi
}
Of course, this is lame, you'd want to do a real certificate
verification stuff with PKI, so you don't depend on a shared secret,
etc, but you get the idea. Anybody with access to a device gadget kit
can fake descriptors and device info. Don't trust that. You are
welcome.
当然,这是不完整的,你若想做一个真正的PKI填充的证书验证,不要用共享的
加密方式,等,但是获得了点子。任何能访问设备工具套件的人可以假造描述和
设备信息。不要相信。不客气。