| 1 |
On Sun, 2020-06-21 at 22:09 +0200, Piotr Karbowski wrote: |
| 2 |
> Hi, |
| 3 |
> |
| 4 |
> Re-sending news item inline. |
| 5 |
> |
| 6 |
> ### |
| 7 |
> |
| 8 |
> Title: xorg-server dropping default suid |
| 9 |
> Author: Piotr Karbowski <slashbeast@g.o> |
| 10 |
> Posted: 2020-06-22 |
| 11 |
> Revision: 1 |
| 12 |
> News-Item-Format: 2.0 |
| 13 |
> Display-If-Installed: x11-base/xorg-server |
| 14 |
> |
| 15 |
> The Gentoo X11 Team is announcing that starting with 15th of July, |
| 16 |
> the x11-base/xorg-server will no longer default to suid and will default |
| 17 |
> to using logind interface instead. This change makes xorg-server run as |
| 18 |
> regular user rather than root by default, however, those who do not have |
| 19 |
> any logind interface provider (either systemd or elogind) will need to |
| 20 |
> enable either to make it possible to run X session as unprivileged user. |
| 21 |
|
| 22 |
No offense but it sounds a little chaotic to me. How about something |
| 23 |
like: |
| 24 |
|
| 25 |
Starting 2020-07-15 [use ISO dates, please], x11-base/xorg-server will |
| 26 |
default to using logind interface instead of suid by default. It will |
| 27 |
result in ... [what? better security?] through running the server |
| 28 |
as a regular user instead of root. However, this will require our users |
| 29 |
to use a logind provider such as elogind or systemd. |
| 30 |
|
| 31 |
> No action is required from systemd and desktop profile users, since |
| 32 |
> systemd provides logind interface, and desktop profile already enables |
| 33 |
> 'elogind' USE flag globally. |
| 34 |
> |
| 35 |
> Rest of the non-systemd users is required to globally enable 'elogind' |
| 36 |
|
| 37 |
The remaining users are ... 'elogind' [or 'systemd'?] |
| 38 |
|
| 39 |
> USE flag and apply it by 'emerge --newuse @world' |
| 40 |
|
| 41 |
Cut sentence here. |
| 42 |
|
| 43 |
> , after which, re-login |
| 44 |
> is required so that PAM can allocate seat. |
| 45 |
|
| 46 |
Afterwards, ... |
| 47 |
|
| 48 |
> |
| 49 |
> One can confirm that a seat has been assigned upon login by running: |
| 50 |
> |
| 51 |
> $ loginctl user-status |
| 52 |
> |
| 53 |
> Those who for whatever reason want to preserve current state, while |
| 54 |
> heavily discourage, can still use x11-base/xorg-server with 'suid -elogind'. |
| 55 |
|
| 56 |
'whatever reason' doesn't sound professional. How about: |
| 57 |
|
| 58 |
Users who do not wish to use logind interface can manually reenable |
| 59 |
'suid' flag in order to preserve the previous behavior. However, please |
| 60 |
note that this is heavily discouraged... [maybe explain why? also, are |
| 61 |
we going to eventually remove it?] |
| 62 |
|
| 63 |
-- |
| 64 |
Best regards, |
| 65 |
Michał Górny |
Archives