Gentoo Archives: gentoo-dev

From: Piotr Karbowski <slashbeast@g.o>
To: gentoo-dev@l.g.o
Subject: [gentoo-dev] x11-base/xorg-server: No longer enabling suid by default.
Date: Mon, 25 May 2020 21:41:32
Message-Id: 1603e334-99b0-20de-d3cb-581b2a6dc8c9@gentoo.org
1 Hi,
2
3 For years the xorg-server in Gentoo was defaulting to be running with
4 suid, even those that does not really require it, like systemd users and
5 those who runs elogind still end up with X as uid 0 because of +suid
6 default.
7
8 Times has changed, we now have +elogind in desktop profile, xorg-server
9 can no longer work without udev (due to input drivers), so there's no
10 real benefit for defaulting to suid.
11
12 There are 3 common ways the xorg-server is started:
13
14 - via XDM of some sort, usually forked as root, does not require suid,
15 systemd or elogind.
16 - via better XDM that can into logind interface, started as regular user
17 thanks to logind interface provided by either systemd or elogind.
18 - via `startx`, if systemd or elogind are present, can work without
19 suid, without them, suid is required.
20
21 Flipping current '+suid (-)elogind' as *default* USE flags on ebuild
22 level into '+elogind (-)suid' will not affect first two use cases, and
23 affect only 3rd one if neither systemd is used, or elogind is enabled.
24
25 What I'd like to go with is to enable elogind and disable suid on ebuild
26 level. The systemd profiles have use.mask for elogind, meaning it's not
27 a problem for them. and those who do not want to use any logind provider
28 can still opt-out out of it and go back to use suid. It shouldn't really
29 affect most of the users in any negative way, if anything, it will make
30 more users to not run Xorg as root, which is a positive aspect.
31
32 The alternative way would be to enable elogind on default profile,
33 however it would also affect those who run headless Gentoo, of which a
34 lot refuse to use any login manager.
35
36 So, dear people of Gentoo, what do you think about turning the current
37 possible opt-out of Xorg as root into possible opt-in for running Xorg
38 as root? People still will have a choice, just the defaults will be more
39 sane.
40
41 -- Piotr.

Attachments

File name MIME type
signature.asc application/pgp-signature

Replies

Subject Author
Re: [gentoo-dev] x11-base/xorg-server: No longer enabling suid by default. Philip Webb <purslow@××××××××.net>
Re: [gentoo-dev] x11-base/xorg-server: No longer enabling suid by default. "Haelwenn (lanodan) Monnier" <contact@×××××××××.me>