Hi, DRM render nodes [1] provide an interface for unprivileged GPU operations such as video encoding or off-screen rendering. They are currently world-writable in Factory:
crw-rw-rw- root:render /dev/dri/renderD128
This configuration allows every user, even `nobody`, to access the GPU drivers, cause load on the hardware and exploit hypothetical driver bugs. To our *current knowledge* this does not represent a security vulnerability. But given enough time and energy it very well might. It certainly does increase a local attack surface unnecessarily. Given the complexity of graphics drivers, maintaining such open permissions seems imprudent. While mode 0666 is the default [2], upstream has also been supporting an alternative configuration with mode 0660 and uaccess ACLs [3]. For context, here's how other distributions manage this:
Debian: mode 660 with uaccess Ubuntu: mode 660 with uaccess Fedora: mode 666
A submission [4] is underway to switch openSUSE Factory to this alternative configuration. This will result in Factory having these permissions:
crw-rw----+ root:render /dev/dri/renderD128
The impact of this change is likely to be zero for most users. If you have any workloads that depend on unprivileged GPU operations, you can simply add your user to the `render` group. Specific scenarios include: - Remote GPU access via ssh - Local GPU access by non-interactive users that aren't part of the render group yet, e.g. system users, cron jobs or `su` to another user. Best regards Wolfgang [1] https://dri.freedesktop.org/docs/drm/gpu/drm-uapi.html#render-nodes [2] https://github.com/systemd/systemd/blob/a3f5976ded023257f6299ca07b9749fd1483... [3] https://github.com/systemd/systemd/blob/a3f5976ded023257f6299ca07b9749fd1483... [4] https://build.opensuse.org/request/show/1128161 -- Wolfgang Frisch <wolfgang.frisch@suse.com> Security Engineer OpenPGP fingerprint: A2E6 B7D4 53E9 544F BC13 D26B D9B3 56BD 4D4A 2D15 SUSE Software Solutions Germany GmbH Maxfeldstr. 5, 90409 Nuremberg, Germany (HRB 36809, AG Nürnberg) Managing Director: Felix Imendörffer