Skip to content
GitLab

The `video` group mixes permissions for video output and input devices

TLDR: when a user is made a member of the video group in order to have access to webcam devices, that user and all their processes also have unrestricted access to raw video output device nodes.

I have reported this upstream to eudev too, but I wouldn't count on this being fixed soon.

Wayland compositors use something like seatd or elogind to access video output hardware and input devices (mouse, keyboards, etc). This means that they don't need access to the hardware device itself. The recommendation from upstream (e.g.: developers of compositors and tools like seatd) is that users don't need to be a member of the video group. This prevents other user processes from having unrestricted access to the video output device.

If a user account can't access the device nodes, then neither can the processes or sandboxes that this user spawn.

Currently on Alpine, the video group has two purposes:

  • Granting access to video output devices (e.g.: drm).
  • Granting access to video input devices such as webcams.

If I want an account to have access to a webcam, it also immediately gets access to the hardware rendering device (and can, for example, screen-record what other users are doing, screen-spoof, etc).

Potential solution

I think that the correct fix for this is:

  • Keep using the video group for video output devices (this minimises breakage for existing installations).
  • Use the camera group for webcams and other video input devices.

This requires patching several udev rules, both from eudev itself and third party rules.

This is a breaking change, and should be announced as such (it requires user intervention in most scenarios which make use of this group). I think that this specific approach is the least-breaking one, since it won't break existing Alpine installations which actually do require direct access to video hardware.

Sadly, this might spawn a wave of "my webcam stopped working" questions on IRC.

Before sending out patches, I'd like to hear what others think about this. This issue affects both Alpine and upstream, so this might need to be a coordinated effort).

Edited by Hugo Barrera
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information