0

/dev/dri/renderD128 should only be accessible to root or users in the render group as per:


project_kohli% ls -lha /dev/dri/renderD128                     
crw-rw----+ 1 root render 226, 128 May 26 09:43 /dev/dri/renderD128

However I can see a number of applications which are NOT running as root accessing the file descriptor directly:

                     USER            PID   ACCESS COMMAND
/dev/dri/renderD128: root            3389   F.... Xorg
                     project_kohli   6392   F.... xfwm4
                     project_kohli   9472   F.... firefox-esr
                     project_kohli   9364   F.... totem

Interestingly these are all applications that need to render Video directly (such as Totem Video Player).

Anyway, getting back to the question, application firefox-esr is running as user project_kohli.

project_kohli% ps -aux | grep firefox-esr

project_kohli    9472  5.3  5.2 12545580 74632 ?     Sl   13:13   3:23 /usr/lib/firefox-esr/firefox-esr

User project_kohli is not in the render group.

project_kohli% cat /etc/group | grep render
render:x:115:

Why is /dev/dri/renderD128 accessible to applications running with my user?

Improve this question
3
  • 1
    In addition to the ACL (which is the correct answer here) it is also possible for a privileged process to open the device, and pass the open file descriptor to another process, because permissions are checked only when opening. Commented May 26, 2024 at 13:05
  • Ah that is very interesting. I guess for system designers it is seen as capability passing, and perhaps preferable to making the other process run as root as well. But this also means answering the "who can access what" question is now more difficult. Commented May 27, 2024 at 7:20
  • yes, also it is possible to perform one-time operations on the file descriptor before handing it over, such as attaching the swapchain to a compositor. Commented May 27, 2024 at 11:37

1 Answer 1

Reset to default
0 
crw-rw----+

Did you notice the plus sign at the end of the permissions string?

It means the device node has an Access Control List on it, and so you'll need the getfacl /dev/dri/renderD128 command to see the complete set of permissions on it.

The result will probably be similar to this:

getfacl: Removing leading '/' from absolute path names
# file: dev/dri/renderD128
# owner: root
# group: render
user::rw-
user:project_kohli:rw-
group::rw-
mask::rw-
other::---

indicating that in addition to the classic owner/group/other permissions, there is an ACL granting read/write access to a named user, in this case project_kohli.

Typically this is caused by a TAG+="uaccess" in the udev rule for the device. It causes the login/logout mechanism (specifically systemd-logind on systems using systemd) to add read+write permissions to this device for locally logged-in users, and to remove those permissions on logout.

If your GUI desktop environment includes the capacity of switching between multiple locally logged-in users, this mechanism is extended to grant access to the user that is currently actively holding the local seat (= the group of devices under control of the active locally logged-in user).

Remote sessions, like SSH sessions, won't normally get this kind of access at all: you don't want other users to be able to remotely peek at your display or manipulate it, do you?

If you do want to allow multiple users to share access to the renderD128 device, that's what the render group is for. Once the system administrator adds someone's account to the render group, that user will always be able to access that device: from remote sessions, from cron jobs, or from switched-out local GUI sessions.

Improve this answer
4
  • I think more precisely, the ACL is added / removed when the "seat" is taken / released by a user / session. (Say two users have logged in and you switch tty back and forth. Also consider SSH sessions.) Commented May 26, 2024 at 9:21
  • @TomYan Edited - is this what you meant? Commented May 26, 2024 at 9:51
  • Well, regarding SSH sessions I really meant that because they are "seatless", so they won't trigger the effect of uaccess. But then of course, if there is also an active local / "seatful" session, the ACL will still kick in. (So if you relies on uaccess, you could bump into seemingly "inconsistent" / "unexpected" behavior.) AFACIT it doesn't really have anything to do with security (but more like SSH isn't really part of the "desktop experience", or that multiple sessions can be active in parallel). Commented May 26, 2024 at 9:59
  • Thank you. That was very informative. Commented Jun 1, 2024 at 9:15

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.