Dear NXP developers/support,
I was in shock to find that after I installed MCUXpresso on Linux, it modified the udev rules to open up the devices to world, aka 0666. This is far from being best practice nor it should be done within explicit user consent.
All the rules abuses the permission restrictions and are written as:
KERNEL=="hidraw*", ATTRS{idVendor}=="1fc9", ATTRS{idProduct}=="0143", MODE="0666"
This is far from being best practice, instead, the rules should permit a group on the computer to access the device, using the following notation:
KERNEL=="hidraw*", ATTRS{idVendor}=="1fc9", ATTRS{idProduct}=="0143", MODE="0660", GROUP="plugdev"
As these rules are not an example and installed without consent this is a severe abuse of the root permission you require when installing the MCUXpresso IDE.
Please escalate this to CSO/security representative in order to track this and fix or avoid installing insecure resources on customer's environment.
Regards,
Hello @alonbl
Thanks for your suggestion, I will submit and ask Development team to check, thanks.
BR
Alice