On Sun, Jan 09, 2022 at 11:01:26AM +0100, Stefan Hagen wrote: > Theo de Raadt wrote: > > Stefan Hagen <[email protected]> wrote: > > > > > Crystal Kolipe wrote: > > > > On Sat, Jan 08, 2022 at 08:15:43PM +0100, Stefan Hagen wrote: > > > > > Start X via xenodm and not via startx. Then it runs through > > > > > /etc/X11/xenodm/GiveConsole, which contains: > > > > > > > > > > if [ -c /dev/dri/card0 ]; then > > > > > chown $USER /dev/dri/card0 > > > > > fi > > > > > > > > > > Alternatively add the chown command above to your .xinitrc > > > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > > > WHAT!? > > > > > > > > /dev/dri/card0 will be automatically chown'ed to the user logged in on > > > > ttyC0 unless you've changed /etc/fbtab from the default. > > > > > > > > Additionally, /etc/X11/xinit is run as the calling user, not as root. > > > > So how on earth would the chown command succeed, called from xinit? > > > > > > doas(1) helps. But the whole suggestion was a bandaid. I should not have > > > given it. > > > > What unbelievable terrible advice, to encourage people to make their > > accounts root-equivelant. > > > > Just wow. > > My morning brain agrees that doas and chown should not be mentioned in > one sentence. But there's no paddling back from this on a mailing list... > > So: DON'T DO THAT! As theo said, then every file could be chowned to > your user and altered and chowned back. It's basically root for > everything.
Except the files that the knowledgeable sysadmin has flagged with schg. Those should be immune. Well, unless a malicious user uses the exploit you would have introduced to actually get real root access, then they can potentially remove the schg flag by directly accesing the raw disk device. Which in turn could be avoided by running in securelevel 2. > We should really hunt down why the device owner is not set properly with > the mechanism in place. Exactly. This is generally a very good idea. The mechanisms in place have hopefully been well thought out, and tested, and shouldn't allow unexpected or unintended behaviour.
