non root X
Serge E. Hallyn
serue at us.ibm.com
Thu Aug 6 20:30:50 UTC 2009
Quoting Adam Jackson (ajax at redhat.com):
> On Thu, 2009-08-06 at 14:50 -0500, Serge E. Hallyn wrote:
> > Quoting Dave Airlie (airlied at redhat.com):
> > > Maybe we could do something with SELinux, but I don't think
> > > we can do anything without getting revoke. or maybe some
> > > process capabilties if such things worked.
> >
> > The non-kms drivers could carry fe=on,fI=CAP_SYS_RAWIO (or whatever
> > they need) and userids or groups allowed to run X could get pI=CAP_SYS_RAWIO
> > at login through pam_cap.so.
> >
> > If you also make the x driver setuid-root, then on filesystems (like
> > NFS) or kernels which don't support file capabilities, it'll run setuid
> > root as it does now, while if file caps are supported then it should run
> > as the calling user with just the granted capabilities.
>
> It doesn't work like that. Drivers are DSOs, not executables. You
drat
-serge
More information about the fedora-devel-list
mailing list