[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: non root X

From: "Serge E. Hallyn" <serue us ibm com>
To: Development discussions related to Fedora <fedora-devel-list redhat com>
Cc: MathStuf gmail com
Subject: Re: non root X
Date: Thu, 6 Aug 2009 15:30:50 -0500

Quoting Adam Jackson (ajax redhat com):
> On Thu, 2009-08-06 at 14:50 -0500, Serge E. Hallyn wrote:
> > Quoting Dave Airlie (airlied redhat com):
> > > Maybe we could do something with SELinux, but I don't think
> > > we can do anything without getting revoke. or maybe some
> > > process capabilties if such things worked.
> > 
> > The non-kms drivers could carry fe=on,fI=CAP_SYS_RAWIO (or whatever
> > they need) and userids or groups allowed to run X could get pI=CAP_SYS_RAWIO
> > at login through pam_cap.so.
> > 
> > If you also make the x driver setuid-root, then on filesystems (like
> > NFS) or kernels which don't support file capabilities, it'll run setuid
> > root as it does now, while if file caps are supported then it should run
> > as the calling user with just the granted capabilities.
> 
> It doesn't work like that.  Drivers are DSOs, not executables.  You

drat

-serge

References:
- non root X
  - From: Rahul Sundaram
- Re: non root X
  - From: Dave Airlie
- Re: non root X
  - From: Ben Boeckel
- Re: non root X
  - From: Dave Airlie
- Re: non root X
  - From: Serge E. Hallyn
- Re: non root X
  - From: Adam Jackson

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]