Hi, On Thu, Nov 30, 2023 at 09:13:59AM +0100, Thomas Zimmermann via openSUSE Factory wrote:
Am 30.11.23 um 07:49 schrieb Thomas Zimmermann via openSUSE Factory:
Hi
Am 29.11.23 um 17:18 schrieb Wolfgang Frisch:
On 11/22/23 16:59, Wolfgang Frisch wrote:
The impact of this change is likely to be zero for most users.
If you have any workloads that depend on unprivileged GPU operations, you can simply add your user to the `render` group. Specific scenarios include: - Remote GPU access via ssh - Local GPU access by non-interactive users that aren't part of the render group yet, e.g. system users, cron jobs or `su` to another user.
Is anyone aware of any unacceptable consequences of this change that may have been missed, or scenarios that should be tested beforehand?
ls -l /dev/dri says
crw-rw----+ 1 root video 226, 1 30. Nov 07:20 card1 crw-rw-rw- 1 root render 226, 128 30. Nov 07:20 renderD128
If neither file is accessible by arbitrary users, how do they render graphics then?
To answer my question: I just did
sudo chmod 660 /dev/dri/renderD128
to clear the permissions for others.
ls -l /dev/dri/
crw-rw----+ 1 root video 226, 1 30. Nov 07:20 card1 crw-rw---- 1 root render 226, 128 30. Nov 07:20 renderD128
Running glxinfo now reports the llvmpipe backend, which is the software renderer.
OpenGL vendor string: Mesa OpenGL renderer string: llvmpipe (LLVM 17.0.5, 256 bits) OpenGL core profile version string: 4.5 (Core Profile) Mesa 23.2.1 OpenGL core profile shading language version string: 4.50
Hardware acceleration is now disabled for users that are not in the video or render groups. I like the idea of limiting access to /dev/dri/ files, but it still needs to work for regular users out of the box.
Here is the output of groups
users games disk dialout osc
Is it possible to automatically add everyone in group 'users' to 'render' as well?
In general the hope was that it would still work if the renderD128 device is created using udev and using uaccess rules. I think the main problem with uaccess was / is that NVIDIA binary-only-drivers will not set uaccess permissions, as this is a GPL interface.
Best regards Thomas
Best regards Thomas
If not, the change can be applied IMHO.
Ciao, Marcus