Subject: Re: aperture driver?
To: Matthias Scheler <tron@lyssa.owl.de>
From: Chris G. Demetriou <cgd@pa.dec.com>
List: port-i386
Date: 06/30/1998 18:10:57
> In article <199806292255.SAA19957@jekyll.piermont.com>,
> "Perry E. Metzger" <perry@piermont.com> writes:
> > 1) It won't increase your security.
>
> IMHO it does. It only a allow access for *one* application. So if you start
> your X11 server via "xdm" during system startup no other application can
> access it.
Except then, a root-privs process can _kill_ xdm and the X server...
A large part of the kernel 'security' model has to do with preventing
even root from performing certain operations. The aperture driver
lessens those protections in such a way that if it's in the system, a
'smart' user process can take over the system just as if 'options
INSECURE' were set. The amount of 'smarts' necessary is surprisingly
small.
cgd