1 |
On Sun, 2020-06-21 at 22:09 +0200, Piotr Karbowski wrote: |
2 |
> Hi, |
3 |
> |
4 |
> Re-sending news item inline. |
5 |
> |
6 |
> ### |
7 |
> |
8 |
> Title: xorg-server dropping default suid |
9 |
> Author: Piotr Karbowski <slashbeast@g.o> |
10 |
> Posted: 2020-06-22 |
11 |
> Revision: 1 |
12 |
> News-Item-Format: 2.0 |
13 |
> Display-If-Installed: x11-base/xorg-server |
14 |
> |
15 |
> The Gentoo X11 Team is announcing that starting with 15th of July, |
16 |
> the x11-base/xorg-server will no longer default to suid and will default |
17 |
> to using logind interface instead. This change makes xorg-server run as |
18 |
> regular user rather than root by default, however, those who do not have |
19 |
> any logind interface provider (either systemd or elogind) will need to |
20 |
> enable either to make it possible to run X session as unprivileged user. |
21 |
|
22 |
No offense but it sounds a little chaotic to me. How about something |
23 |
like: |
24 |
|
25 |
Starting 2020-07-15 [use ISO dates, please], x11-base/xorg-server will |
26 |
default to using logind interface instead of suid by default. It will |
27 |
result in ... [what? better security?] through running the server |
28 |
as a regular user instead of root. However, this will require our users |
29 |
to use a logind provider such as elogind or systemd. |
30 |
|
31 |
> No action is required from systemd and desktop profile users, since |
32 |
> systemd provides logind interface, and desktop profile already enables |
33 |
> 'elogind' USE flag globally. |
34 |
> |
35 |
> Rest of the non-systemd users is required to globally enable 'elogind' |
36 |
|
37 |
The remaining users are ... 'elogind' [or 'systemd'?] |
38 |
|
39 |
> USE flag and apply it by 'emerge --newuse @world' |
40 |
|
41 |
Cut sentence here. |
42 |
|
43 |
> , after which, re-login |
44 |
> is required so that PAM can allocate seat. |
45 |
|
46 |
Afterwards, ... |
47 |
|
48 |
> |
49 |
> One can confirm that a seat has been assigned upon login by running: |
50 |
> |
51 |
> $ loginctl user-status |
52 |
> |
53 |
> Those who for whatever reason want to preserve current state, while |
54 |
> heavily discourage, can still use x11-base/xorg-server with 'suid -elogind'. |
55 |
|
56 |
'whatever reason' doesn't sound professional. How about: |
57 |
|
58 |
Users who do not wish to use logind interface can manually reenable |
59 |
'suid' flag in order to preserve the previous behavior. However, please |
60 |
note that this is heavily discouraged... [maybe explain why? also, are |
61 |
we going to eventually remove it?] |
62 |
|
63 |
-- |
64 |
Best regards, |
65 |
Michał Górny |