Hi, On 11/30/23 07:49, Thomas Zimmermann wrote:
Am 29.11.23 um 17:18 schrieb Wolfgang Frisch:
Is anyone aware of any unacceptable consequences of this change that may have been missed, or scenarios that should be tested beforehand?
ls -l /dev/dri says
crw-rw----+ 1 root video 226, 1 30. Nov 07:20 card1 crw-rw-rw- 1 root render 226, 128 30. Nov 07:20 renderD128
If neither file is accessible by arbitrary users, how do they render graphics then?
udev applies the `uaccess` tag, which, in coordination with systemd-logind, dynamically applies an ACL granting access to all locally logged-in users. The end result looks like this: ``` localuser@localhost:/dev/dri$ ls -l total 0 drwxr-xr-x 2 root root 80 Nov 27 09:26 by-path crw-rw----+ 1 root video 226, 0 Nov 27 09:26 card0 crw-rw----+ 1 root render 226, 128 Nov 27 09:26 renderD128 localuser@localhost:/dev/dri$ getfacl renderD128 # file: renderD128 # owner: root # group: render user::rw- user:localuser:rw- group::rw- mask::rw- other::--- ``` All the best Wolfgang
-- Wolfgang Frisch <wolfgang.frisch@suse.com> Security Engineer OpenPGP fingerprint: A2E6 B7D4 53E9 544F BC13 D26B D9B3 56BD 4D4A 2D15 SUSE Software Solutions Germany GmbH, Frankenstraße 146, 90461 Nürnberg