On Wed, Aug 29, 2012 at 8:33 PM, Tom Callaway <tcallawa(a)redhat.com> wrote:
The core issue behind why dfbinfo doesn't run as a
"normal" user is due
to the fact that the Linux kernel requires CAP_SYS_TTY_CONFIG to do any
TTY ioctl() calls. UID 0 (root) has that, but normal users do not. It is
possible to give a binary that capability using the "setcap" command.
The missing udev rules also factor into this, I suspect.
Last but not least, I believe a normal user needs to be in at least the
"tty" and "video" groups. (and they need to be active, as reported
by
`groups`). Since there is no real way to handle this in the package, it
just needs to be done by any user who wants to use dfbinfo:
usermod -a -G tty video USERNAME
I made an updated package (1.6.1) that has these fixes applied and sets
the CAP_SYS_TTY_CONFIG capability to the dfbinfo binary. (Other DirectFB
binaries probably need the same magic, but as I am not a DirectFB user,
I can't really say which ones.)
Per
http://forums.grsecurity.net/viewtopic.php?f=7&t=2522 , giving the
program CAP_SYS_TTY_CONFIG is basically equivalent to making it
setuid-root. Was the code designed to be run in such a risky setup?
Mirek