Contributed by jj on from the you-are-surrounded-drop-your-privs dept.
In OpenBSD-current, after this commit users of Intel and ATI Radeon graphics which support kernel mode setting (almost all of them) can set machdep.allowaperture back to 0 in the /etc/sysctl.conf configuration and still run the X server.
This means that the X server requires no special privilege to access kernel memory or I/O devices directly, and, thanks to the privilege separation code, that most of the code in the X server will also not run as root.
Keeping this special direct access to the hardware through the aperture driver was one of the major drawbacks of privelege separation in X, as pointed out by a paper by Loic Duflot at CANSECWEST 2006.
Note that the warning about CheckDevMem failing to open /dev/xf86 and /dev/mem can be safely ignored.
(Comments are closed)