|
Bugzilla – Full Text Bug Listing |
| Summary: | AUDIT-FIND: udev: DRM render nodes are world-writable | ||
|---|---|---|---|
| Product: | [openSUSE] openSUSE Tumbleweed | Reporter: | Wolfgang Frisch <wolfgang.frisch> |
| Component: | Security | Assignee: | systemd maintainers <systemd-maintainers> |
| Status: | RESOLVED FIXED | QA Contact: | E-mail List <qa-bugs> |
| Severity: | Minor | ||
| Priority: | P4 - Low | CC: | fbui, fvogt, wolfgang.frisch |
| Version: | Current | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| Whiteboard: | |||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
|
Description
Wolfgang Frisch
2023-11-14 08:54:20 UTC
It sounds reasonable but I'm not of its consequences. Fabian, could you share your opinion ? 0666 is actually the upstream default, same for /dev/kvm: https://github.com/systemd/systemd/blob/a3f5976ded023257f6299ca07b9749fd1483c0d2/meson_options.txt#L313 uaccess would be enough to allow the usual use through logged in users and applications, would however break GPU acceleration through su to another user, ssh or libvirt virtio-gpu OOTB. (In reply to Fabian Vogt from comment #3) > uaccess would be enough to allow the usual use through logged in users and > applications, would however break GPU acceleration through su to another > user, ssh or libvirt virtio-gpu OOTB. Are these use cases common enough or can we assume that users should rely on the "render" group when needed ? (In reply to Franck Bui from comment #4) > (In reply to Fabian Vogt from comment #3) > > uaccess would be enough to allow the usual use through logged in users and > > applications, would however break GPU acceleration through su to another > > user, ssh or libvirt virtio-gpu OOTB. > > Are these use cases common enough or can we assume that users should rely on > the "render" group when needed ? Worth a try. If it breaks too much, it can be changed back again. IMO it should be documented at least and in the case of TW also announced. +1 for giving it a try. The "render" group already exists and uaccess should be automatically configured when GROUP_RENDER_MODE != 666, so it seems that the upstream has considered this as a viable option. https://github.com/systemd/systemd/blob/a3f5976ded023257f6299ca07b9749fd1483c0d2/meson.build#L944 (In reply to Fabian Vogt from comment #3) > uaccess would be enough to allow the usual use through logged in users and > applications, would however break GPU acceleration through su to another > user, ssh or libvirt virtio-gpu OOTB. Valid point that must be considered. (In reply to Franck Bui from comment #4) > Are these use cases common enough or can we assume that users should rely on > the "render" group when needed ? Yes, IMHO it is not unreasonable to ask for `render` group membership for these less common use cases, as long as it is communicated reasonably well. There aren't many world-writable device nodes in /dev and given the complexity of graphics drivers, it makes sense to follow the principle of least privilege. FYI https://build.opensuse.org/request/show/1128161 has been accepted and submitted to Factory: sr#1130178 Hence I'm closing the bug. Wolfgang can you please open another bug report for the documentation part ? Thanks. This is an autogenerated message for OBS integration: This bug (1217118) was mentioned in https://build.opensuse.org/request/show/1130178 Factory / systemd |