Contributed by jj on from the you-are-surrounded-drop-your-privs dept.
In OpenBSD-current, after this commit users of Intel and ATI Radeon graphics which support kernel mode setting (almost all of them) can set machdep.allowaperture back to 0 in the /etc/sysctl.conf configuration and still run the X server.
This means that the X server requires no special privilege to access kernel memory or I/O devices directly, and, thanks to the privilege separation code, that most of the code in the X server will also not run as root.Keeping this special direct access to the hardware through the aperture driver was one of the major drawbacks of privelege separation in X, as pointed out by a paper by Loic Duflot at CANSECWEST 2006.
Note that the warning about CheckDevMem failing to open /dev/xf86 and /dev/mem can be safely ignored.
(Comments are closed)
By Anonymous Coward (86.152.146.213) on
By Anonymous Coward (68.100.144.141) on
Or does this change mean we have reached the point where the installer no longer has to ask if we're going to run X?
Comments
By Amit Kulkarni (amitkulz) on
>
> Or does this change mean we have reached the point where the installer no longer has to ask if we're going to run X?
hopefully. I did as recommended and it just works!
Thanks a ton.
By Noryungi (noryungi) on
Hmmm... The way I understand this article is that (a) the installer will still ask the question about running X and set the aperture to 2 but (b) after installation is complete, if your video card is supported, you will be able to reset the aperture to 0 and enjoy the security goodness.
If a dev reading this can correct or confirm what I just wrote, it would be greatly appreciated.
Comments
By Anonymous Coward (199.185.137.1) on
>
> Hmmm... The way I understand this article is that (a) the installer will still ask the question about running X and set the aperture to 2 but (b) after installation is complete, if your video card is supported, you will be able to reset the aperture to 0 and enjoy the security goodness.
>
> If a dev reading this can correct or confirm what I just wrote, it would be greatly appreciated.
Correct, at the moment, it requires this manual step.
We hope to make this entirely automatic by the 5.6 release...
By Chris Cappuccio (chriscappuccio) chris@nmedia.net on http://www.nmedia.net/chris/
By Srikant (115.114.17.146) on
Most of the times, when I learn about a particular class of vulnerability via some conference video, OpenBSD is already safe : NTP Reflection DDoS, LD_PRELOAD, X.org priv sep and so many others.