/dev/nvidia* is world writable

Bug #979307 reported by Kees Cook on 2012-04-11
This bug affects 3 people
Affects Status Importance Assigned to Milestone
nvidia-graphics-drivers (Ubuntu)

Bug Description

leaving /dev/nvidia* world-writable exposes systems to future vulnerabilities even from remote users. This file should be limited to the console user instead (usually done with dynamic file ACLs).

Kees Cook (kees) on 2012-04-11
visibility: private → public
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in nvidia-graphics-drivers (Ubuntu):
status: New → Confirmed
Maarten Lankhorst (mlankhorst) wrote :

Easy workaround would be to change /lib/udev/rules.d/50-udev-default.rules :

KERNEL=="nvidia*|nvidiactl*", GROUP="video", MODE="0660"

However that requires current user to be in the video group, and that will probably cause a lot of issues on its own, since by default users are not part of the video group, and probably not a change you want to push except in a next major release.

Bryce Harrington (bryce) on 2012-05-07
Changed in nvidia-graphics-drivers (Ubuntu):
status: Confirmed → Triaged
importance: Undecided → High
Changed in nvidia-graphics-drivers (Ubuntu):
assignee: nobody → Marc Deslauriers (mdeslaur)
Marc Deslauriers (mdeslaur) wrote :

How about adding nvidia* to /lib/udev/rules.d/70-udev-acl.rules and getting permissions added by consolekit?

Marc Deslauriers (mdeslaur) wrote :

OK, using udev doesn't work, as the device nodes and permissions are created by the binary driver when X starts.


Changed in nvidia-graphics-drivers (Ubuntu):
assignee: Marc Deslauriers (mdeslaur) → nobody
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers