Gentoo Archives: gentoo-dev

From: Rich Freeman <rich0@g.o>
To: gentoo-dev <gentoo-dev@l.g.o>
Subject: Re: [gentoo-dev] x11-base/xorg-server: No longer enabling suid by default.
Date: Tue, 26 May 2020 11:43:18
Message-Id: CAGfcS_neJtrDuJoJYQw5Y-NyS6Y9PGsWEceHQozBxCtMsFyEjQ@mail.gmail.com
In Reply to: Re: [gentoo-dev] x11-base/xorg-server: No longer enabling suid by default. by "Haelwenn (lanodan) Monnier"
1 On Tue, May 26, 2020 at 4:12 AM Haelwenn (lanodan) Monnier
2 <contact@×××××××××.me> wrote:
3 >
4 > [2020-05-25 23:41:23+0200] Piotr Karbowski:
5 > > There are 3 common ways the xorg-server is started:
6 > >
7 > > - via XDM of some sort, usually forked as root, does not require suid,
8 > > systemd or elogind.
9 >
10 > Launching X as root and having it be suid is quite the same thing…
11 >
12
13 Sort-of. An SUID X binary is a potential source of vulnerabilities
14 even if you never run it, since it is still sitting there and ready to
15 be exploited by somebody else. It also gives a user more control over
16 how X is launched as root (command lines/control over stdin/out, etc).
17 When X is launched as root by something the user doesn't control it
18 reduces the attack surface somewhat. And if you never launch X11 at
19 all it is just another unprivileged binary that can't do anything the
20 user can't already do with system calls.
21
22 In any case, setting suid on any binary is something that should only
23 be done if there is no other practical solution. It certainly seems
24 like this shouldn't be the default, especially if it is available for
25 users to toggle if they wish. We can always put out a news item when
26 this changes. If elogind is already enabled by default on a profile,
27 then it doesn't make sense to ship X11 suid with that same profile
28 when it isn't necessary. If a user wants to depart from the default
29 config to not use elogind then they can just change the USE flag on
30 xorg as well.
31
32 --
33 Rich