Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-dev

From: Philip Webb <purslow@××××××××.net>
To: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] Re: News item: xorg-server dropping default suid
Date: Mon, 22 Jun 2020 04:03:13
Message-Id: 20200622040305.GJ2306@ca.inter.net
In Reply to: Re: [gentoo-dev] Re: News item: xorg-server dropping default suid by Matt Turner
1 200621 Matt Turner wrote:
2 > On Sun, Jun 21, 2020 at 4:53 PM Philip Webb <purslow@××××××××.net> wrote:
3 >> I've been running xorg-server as root for > 16 yr without any problems.
4 >> AFAIK there are no problems re exploits via I/net browsers,
5 >> which are started by my user as all such user software always is.
6 >> What might go wrong, if I continue to 'startx'
7 >> with 'xorg-server' merged with 'suid -elogind'
8 >> & without the '.xinitrc' line show above in the Wiki ?
9 > For the majority of users -- those that use a graphics driver
10 > with kernel modesetting support -- , X only needs root access
11 > for a small set of things : accessing the DRM device node,
12 > accessing the input device nodes and some stuff around VTs.
13 > The rest of the time, X doesn't need root access.
14 > With elogind, those bits are handled in a small daemon
15 > and X no longer needs to run as root. Most people find that valuable,
16 > especially with the knowledge that there have been
17 > a number of security vulnerabilities that would allow arbitrary code
18 > execution in the xserver over the years [1].
19
20 The latest of those was announced in 2018
21 & all of them seem to involve privilege escalation by local users ;
22 those marked 'remote' all seem to be via off-site logins.
23 There doesn't appear ever to have been a genuine remote threat,
24 so single-user systems have never been threatened by xorg-server as root.
25
26 > [1] https://www.cvedetails.com/vulnerability-list/vendor_id-88/product_id-8600/X.org-Xorg-server.html
27
28 So i ask again : Why is running 'xorg-server' as root "heavily discouraged" ?
29
30 There was a similar issue a few years ago,
31 when the game Nethack was threatened with removal from Gentoo
32 due to a security problem which affected only multi-user systems.
33 Is there any difference in this case of xorg-server ?
34
35 --
36 ========================,,============================================
37 SUPPORT ___________//___, Philip Webb
38 ELECTRIC /] [] [] [] [] []| Cities Centre, University of Toronto
39 TRANSIT `-O----------O---' purslowatcadotinterdotnet

Replies

Subject Author
Re: [gentoo-dev] Re: News item: xorg-server dropping default suid Piotr Karbowski <slashbeast@g.o>
Report Message
Find on MARC Find on Google Groups