Debian specific restriction of /dev/nvidia* to root:video 0660 breaks many things
Andreas Beckmann
anbe at debian.org
Tue Oct 20 11:18:00 UTC 2015
nvidia-kernel-common ships /etc/modprobe.d/nvidia-kernel-common.conf
which sets the permissions on the /dev/nvidia* device nodes to
root:video 0660. This dates back long before my involvement with the
nvidia driver packaging:
nvidia-kernel-common (20051028+1-0.1) unstable; urgency=high
* Non-maintainer upload by testing security team.
* Added option to /etc/modprobe.d/nvidia-kernel-nkc to set
correct device permissions (CVE-2007-3532) (Closes: #434398).
-- Nico Golde <nion at debian.org> Fri, 07 Sep 2007 00:08:00 +0200
We recently discovered that this setting is no longer active from jessie
onwards due to changes in the way the kernel module gets loaded (now
done by udev automatically) and the fact that we rename the module to
allow concurrent installation of current and legacy drivers (requested
by live system maintainers) although only one can be active at a time.
Any attempts to reactivate this have brought a lot of regressions: it
now requires that the local user as well as the user the display manager
is running as (Debian-gdm, sddm-something) is member of the video group.
See #801598, #801869 and the many related bug reports by users (not all
are yet marked as blocked by them).
Since no other distribution uses a similar restricted permission setup,
but runs with the upstream default of root:root 0666, I'm considering to
remove this Debian specific setting.
Andreas
More information about the pkg-nvidia-devel
mailing list