FS#5682 - [nvidia-*] wrong permission of /dev/nvidia*

Attached to Project: Arch Linux
Opened by solsTiCe (zebul666) - Friday, 27 October 2006, 09:03 GMT
Last edited by Tobias Powalowski (tpowa) - Sunday, 24 June 2007, 09:36 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Tobias Powalowski (tpowa)
Architecture not specified
Severity Medium
Priority Normal
Reported Version 0.7.2 Gimmick
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

the permission of the devices /dev/nvidia* are
# ls -l /dev/nvidia*
crw-rw-rw- 1 root root 195, 0 2006-10-27 09:50 /dev/nvidia0
crw-rw-rw- 1 root root 195, 255 2006-10-27 09:50 /dev/nvidiactl

it better should rw-rw-r-- and of the group video

something like that must be added by the nvidia.install to /etc/modprobe.conf
# nvidia's devices permission the right way
options nvidia NVreg_DeviceFileUID=0
options nvidia NVreg_DeviceFileGID=91
options nvidia NVreg_DeviceFileMode=0660

i attached a patch for nvidia.install [extra/nvidia package]

but all nvidia-* package might need to be changed too.
This task depends upon

Closed by  Tobias Powalowski (tpowa)
Sunday, 24 June 2007, 09:36 GMT
Reason for closing:  Won't implement
Comment by solsTiCe (zebul666) - Friday, 27 October 2006, 09:06 GMT
in /etc/udev/rules.d/udev/rules , one can see
### xorg resets those permissions, adjust your xorg.conf!
KERNEL=="nvidia*", GROUP="video"

i suggest to modify modprobe.conf because i do not know how to achieve that in xorg.conf
Comment by Hussam Al-Tayeb (hussam) - Friday, 27 October 2006, 11:10 GMT
Wouldn't it be better to just implement a /etc/modprobe.d/nvidia and insert those lines there?
Comment by solsTiCe (zebul666) - Friday, 27 October 2006, 15:45 GMT
yes it will be cleaner.
it's like you want. ;-)
Comment by solsTiCe (zebul666) - Friday, 27 October 2006, 21:26 GMT
beware that for modprobe to use files in /etc/modprobe.d, /etc/modprobe.conf must NOT exist.

so the package module-init-tools must be changed accordingly to remove /etc/modprobe.conf
Comment by Hussam Al-Tayeb (hussam) - Friday, 27 October 2006, 21:39 GMT
or just add 'include /etc/modprobe.d/' to the bottom of /etc/modprobe.conf
In any case, we have to wait for the devs to decide.
I only came onto this bug because I was about to file the same issue and I looked first to see if it is filed already and found your bug.
Comment by Tobias Powalowski (tpowa) - Sunday, 12 November 2006, 21:30 GMT
Q. How and when are the the NVIDIA device files created?

A. Depending on the target system's configuration, the NVIDIA device files
used to be created in one of three different ways:

o at installation time, using mknod

o at module load time, via devfs (Linux device file system)

o at module load time, via hotplug/udev

With current NVIDIA driver releases, device files are created or modified
by the X driver when the X server is started.

By default, the NVIDIA driver will attempt to create device files with the
following attributes:

UID: 0 - 'root'
GID: 0 - 'root'
Mode: 0666 - 'rw-rw-rw-'

Existing device files are changed if their attributes don't match these
defaults. If you want the NVIDIA driver to create the device files with
different attributes, you can specify them with the "NVreg_DeviceFileUID"
(user), "NVreg_DeviceFileGID" (group) and "NVreg_DeviceFileMode" NVIDIA
Linux kernel module parameters.

For example, the NVIDIA driver can be instructed to create device files
with UID=0 (root), GID=44 (video) and Mode=0660 by passing the following
module parameters to the NVIDIA Linux kernel module:

NVreg_DeviceFileUID=0
NVreg_DeviceFileGID=44
NVreg_DeviceFileMode=0660

The "NVreg_ModifyDeviceFiles" NVIDIA kernel module parameter will disable
dynamic device file management, if set to 0.
-- end of quote

modify your own modprobe.conf to use the options and you are fine, it's up to you how to deal with it
Comment by solsTiCe (zebul666) - Monday, 13 November 2006, 19:42 GMT
hopefully, you did not paste the whole nvidia's README ! :-) thnx

yes i have read that. and that explains the command i recommand above. what's your point ?

my point is:
it's not to the user or the admin to do that.
it must be the drivers package at install time that must fix that security hole.

Loading...