Re: libdrm: Changes to 'debian-experimental'
On Wed, 2007-04-18 at 21:46 -0400, David Nusinow wrote:
> On Tue, Apr 17, 2007 at 10:25:29AM +0200, Michel Dänzer wrote:
> > On Sun, 2007-04-15 at 17:11 +0000, David Nusinow wrote:
> > >
> > > commit 7901afcce99a8af97e560d34e3685fd55eaa9c1a
> > > Author: David Nusinow <dnusinow@debian.org>
> > > Date: Sun Apr 15 13:11:06 2007 -0400
> > >
> > > * Add myself to uploaders
> > > * Patch libdrm to default to device permission 666 so we don't have to do it
> > > in xorg.conf. The only way libdrm can do anything is through the server
> > > anyway.
> >
> > This last sentence doesn't make sense, please elaborate.
>
> It's essentially what ajax told me, although I may have misinterpreted. My
> impression was that in pretty much all cases, the server controls all
> access via libdrm because all dri clients are running through the X server.
> Is this wrong?
I assume what he meant is that exploiting any potential DRM security
holes would usually require authenticating with the corresponding X
display first. I think the idea of not giving everybody access to the
DRM device is basically to give others access to a DRI enabled X display
while preventing them from accessing the DRM device. That way they can
enjoy the 2D performance benefits that enabling the DRI may bring while
not being able to exploit DRM security holes directly.
> > > This can still be overridden by a user's xorg.conf.
> >
> > It might make sense to alert administrators to change this if they have
> > untrusted users.
>
> That's a good idea, I'll add a NEWS.Debian item for libdrm.
Thanks.
--
Earthling Michel Dänzer | http://tungstengraphics.com
Libre software enthusiast | Debian, X and DRI developer
Reply to: