On Wed, Aug 29, 2012 at 8:33 PM, Tom Callaway <tcallawa@xxxxxxxxxx> wrote: > The core issue behind why dfbinfo doesn't run as a "normal" user is due > to the fact that the Linux kernel requires CAP_SYS_TTY_CONFIG to do any > TTY ioctl() calls. UID 0 (root) has that, but normal users do not. It is > possible to give a binary that capability using the "setcap" command. > > The missing udev rules also factor into this, I suspect. > > Last but not least, I believe a normal user needs to be in at least the > "tty" and "video" groups. (and they need to be active, as reported by > `groups`). Since there is no real way to handle this in the package, it > just needs to be done by any user who wants to use dfbinfo: > > usermod -a -G tty video USERNAME > > I made an updated package (1.6.1) that has these fixes applied and sets > the CAP_SYS_TTY_CONFIG capability to the dfbinfo binary. (Other DirectFB > binaries probably need the same magic, but as I am not a DirectFB user, > I can't really say which ones.) Per http://forums.grsecurity.net/viewtopic.php?f=7&t=2522 , giving the program CAP_SYS_TTY_CONFIG is basically equivalent to making it setuid-root. Was the code designed to be run in such a risky setup? Mirek -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
