The default permissions for /dev/dri/* are 660 root:root This prevents ordinary users (who are probably the only ones who attempt to) from using it. chgrp-ing is only temporary as devfsd seems to reset permissions on boot. I consider this a Major bug because it disables 3D acceleration for probably all video cards except nVidia and cannot be fixed by the average user, except temporarily. Reproducible: Always Steps to Reproduce:
you neglected to provide `emerge info` are you using devfs or udev ? what versions of either/both ?
devfsd 1.3.25-r6 Not that emerge info is likely to contain anything relevant, but: Portage 2.0.50-r8 (default-x86-2004.0, gcc-3.3.3, glibc-2.3.3.20040420-r0, 2.6.5-gentoo-r1) ================================================================= System uname: 2.6.5-gentoo-r1 i686 AMD Athlon(TM) XP1600+ Gentoo Base System version 1.4.16 ccache version 2.3 [enabled] Autoconf: sys-devel/autoconf-2.59-r3 Automake: sys-devel/automake-1.8.3 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CFLAGS="-O2 -mcpu=i686 -march=athlon-xp -pipe -fomit-frame-pointer" CHOST="i386-pc-linux-gnu" COMPILER="gcc3" CONFIG_PROTECT="/etc /usr/X11R6/lib/X11/xkb /usr/kde/2/share/config /usr/kde/3.2/share/config /usr/kde/3/share/config /usr/lib/mozilla/defaults/pref /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O2 -mcpu=i686 -march=athlon-xp -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs buildpkg ccache distcc sandbox" GENTOO_MIRRORS="http://gentoo.oregonstate.edu http://distro.ibiblio.org/pub/Linux/distributions/gentoo" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X aalib acl acpi aim alsa apache2 apm arts audiofile avi berkdb caps cdr cjk crypt cups dvd dvdr encode esd fam fbcon flac flash foomaticdb gdbm gif gnome gphoto2 gpm gtk gtk2 icq imap imlib ipv6 jabber java javascript jikes joystick jpeg kde ldap lesstif libg++ libwww live mad maildi matroska memlimit mikmod motif mozilla mpeg msn ncurses nls nocd oggvorbis opengl oscar oss pam pda pdflib perl png ppds python qt quicktime readline samba scanner sdl slang socks5 speex spell ssl svga tcltk tcpd theora tiff truetype unicode usb v4l v4l2 vhosts wmf wxwindows x86 xml2 xmms xosd xv xvid yahoo zlib"
so why not add appropriate entries to your /etc/devfsd.conf file and/or security/console.perms files and forget about it ?
What do you feel the default permissions should be?
vapier: That would only fix it for me, not for the default user. gregkh: 660, owned by root; if 'video' group is only for input, 'users' group; otherwise, 'video' group
and how can udev determine those group differences? (hint, it can't). Sounds like a problem for pam to solve :)
The difference is in what Gentoo defines the video group to be for. udev doesn't have to.
kernel definess the permissions, devfs has no rules for them
In /etc/X11/xorg.conf: ----- Section "DRI" Mode 0666 EndSection ----- ???
Right... why do I want any random user to have access to DRI?? There's a <dri> category in /etc/security/console.perms already including /dev/nvidia* and /dev/3dfx* I don't see why the default/normal /dev/dri/* isn't part of this category...
I do not mind adding that to console.perms as group video, but I thought you did not want that, or are my english skills broken again tonight?
That would at least bring it up to par with other 3D accel under Gentoo (which is what this bug is for).
I will add it in my que, but there are talks of the security guys reviewing the whole groups/permission issue, so it might change again in future.
If they're going to redo the security setup... Stick an ACL giving permissions to a group local_users and add the group local_users to a local login. Solves a lot of the security issues with the current setup.
More like sanitize the groups/permissions across the board. Problem with acl's is not everybody uses it.
Well, if the permissions makes uses of it, then everyone would be using it. IIRC, there isn't an option to disable ACLs on devfs/tmpfs... It would be possible to avoid ACLs by simply using a local_users group as the primary group for devices, but then you can't have separate cdrw/disk/etc groups with non-local permission. ACLs are the only way to support *both* groups.
I fail to see why this is assigned to pam-bugs ?
Still wanting to know what we have to do with this whole...
