On Wed, 2007-04-18 at 21:46 -0400, David Nusinow wrote: > On Tue, Apr 17, 2007 at 10:25:29AM +0200, Michel Dänzer wrote: > > On Sun, 2007-04-15 at 17:11 +0000, David Nusinow wrote: > > > > > > commit 7901afcce99a8af97e560d34e3685fd55eaa9c1a > > > Author: David Nusinow <[EMAIL PROTECTED]> > > > Date: Sun Apr 15 13:11:06 2007 -0400 > > > > > > * Add myself to uploaders > > > * Patch libdrm to default to device permission 666 so we don't have > > > to do it > > > in xorg.conf. The only way libdrm can do anything is through the > > > server > > > anyway. > > > > This last sentence doesn't make sense, please elaborate. > > It's essentially what ajax told me, although I may have misinterpreted. My > impression was that in pretty much all cases, the server controls all > access via libdrm because all dri clients are running through the X server. > Is this wrong?
I assume what he meant is that exploiting any potential DRM security holes would usually require authenticating with the corresponding X display first. I think the idea of not giving everybody access to the DRM device is basically to give others access to a DRI enabled X display while preventing them from accessing the DRM device. That way they can enjoy the 2D performance benefits that enabling the DRI may bring while not being able to exploit DRM security holes directly. > > > This can still be overridden by a user's xorg.conf. > > > > It might make sense to alert administrators to change this if they have > > untrusted users. > > That's a good idea, I'll add a NEWS.Debian item for libdrm. Thanks. -- Earthling Michel Dänzer | http://tungstengraphics.com Libre software enthusiast | Debian, X and DRI developer
