[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: non root X



Quoting Adam Jackson (ajax redhat com):
> On Thu, 2009-08-06 at 14:50 -0500, Serge E. Hallyn wrote:
> > Quoting Dave Airlie (airlied redhat com):
> > > Maybe we could do something with SELinux, but I don't think
> > > we can do anything without getting revoke. or maybe some
> > > process capabilties if such things worked.
> > 
> > The non-kms drivers could carry fe=on,fI=CAP_SYS_RAWIO (or whatever
> > they need) and userids or groups allowed to run X could get pI=CAP_SYS_RAWIO
> > at login through pam_cap.so.
> > 
> > If you also make the x driver setuid-root, then on filesystems (like
> > NFS) or kernels which don't support file capabilities, it'll run setuid
> > root as it does now, while if file caps are supported then it should run
> > as the calling user with just the granted capabilities.
> 
> It doesn't work like that.  Drivers are DSOs, not executables.  You

drat

-serge


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]