Debian specific restriction of /dev/nvidia* to root:video 0660 breaks many things
Moritz Mühlenhoff
jmm at inutil.org
Wed Oct 28 22:07:07 UTC 2015
On Tue, Oct 20, 2015 at 01:18:00PM +0200, Andreas Beckmann wrote:
> nvidia-kernel-common ships /etc/modprobe.d/nvidia-kernel-common.conf
> which sets the permissions on the /dev/nvidia* device nodes to
> root:video 0660. This dates back long before my involvement with the
> nvidia driver packaging:
>
>
> nvidia-kernel-common (20051028+1-0.1) unstable; urgency=high
>
> * Non-maintainer upload by testing security team.
> * Added option to /etc/modprobe.d/nvidia-kernel-nkc to set
> correct device permissions (CVE-2007-3532) (Closes: #434398).
>
> -- Nico Golde <nion at debian.org> Fri, 07 Sep 2007 00:08:00 +0200
>
>
> We recently discovered that this setting is no longer active from jessie
> onwards due to changes in the way the kernel module gets loaded (now
> done by udev automatically) and the fact that we rename the module to
> allow concurrent installation of current and legacy drivers (requested
> by live system maintainers) although only one can be active at a time.
>
> Any attempts to reactivate this have brought a lot of regressions: it
> now requires that the local user as well as the user the display manager
> is running as (Debian-gdm, sddm-something) is member of the video group.
> See #801598, #801869 and the many related bug reports by users (not all
> are yet marked as blocked by them).
>
> Since no other distribution uses a similar restricted permission setup,
> but runs with the upstream default of root:root 0666, I'm considering to
> remove this Debian specific setting.
Personally I don't care at all about the binary nvidia drivers, so
I'll refrain from commenting.
Nico, you made that change, care to comment?
Cheers,
Moritz
More information about the pkg-nvidia-devel
mailing list