1 |
[2020-05-25 23:41:23+0200] Piotr Karbowski: |
2 |
> There are 3 common ways the xorg-server is started: |
3 |
> |
4 |
> - via XDM of some sort, usually forked as root, does not require suid, |
5 |
> systemd or elogind. |
6 |
|
7 |
Launching X as root and having it be suid is quite the same thing… |
8 |
|
9 |
> - via better XDM that can into logind interface, started as regular user |
10 |
> thanks to logind interface provided by either systemd or elogind. |
11 |
> - via `startx`, if systemd or elogind are present, can work without |
12 |
> suid, without them, suid is required. |
13 |
|
14 |
btw I tried startx without suid a while ago, you can start it with your user |
15 |
in the right groups (input, video), which means that now every program that |
16 |
you run can snoop input devices and mess with your video outputs. |
17 |
And X couldn't properly manage DRM master control because you could set |
18 |
the DRM master but not drop it (kernel bug but "linux maintains bugs" and |
19 |
there is no capabilities to fix it, which could allow to avoid extra groups). |
20 |
|
21 |
I don't have something like elogind and likely will not as last time I looked |
22 |
at how it worked, it felt like reading about an unstable backdoor more than |
23 |
anything else. I'd rather have proper permissions in the kernel. |
24 |
|
25 |
> Flipping current '+suid (-)elogind' as *default* USE flags on ebuild |
26 |
> level into '+elogind (-)suid' will not affect first two use cases, and |
27 |
> affect only 3rd one if neither systemd is used, or elogind is enabled. |
28 |
> |
29 |
> What I'd like to go with is to enable elogind and disable suid on ebuild |
30 |
> level. The systemd profiles have use.mask for elogind, meaning it's not |
31 |
> a problem for them. and those who do not want to use any logind provider |
32 |
> can still opt-out out of it and go back to use suid. It shouldn't really |
33 |
> affect most of the users in any negative way, if anything, it will make |
34 |
> more users to not run Xorg as root, which is a positive aspect. |
35 |
> |
36 |
> The alternative way would be to enable elogind on default profile, |
37 |
> however it would also affect those who run headless Gentoo, of which a |
38 |
> lot refuse to use any login manager. |
39 |
> |
40 |
> So, dear people of Gentoo, what do you think about turning the current |
41 |
> possible opt-out of Xorg as root into possible opt-in for running Xorg |
42 |
> as root? People still will have a choice, just the defaults will be more |
43 |
> sane. |
44 |
|
45 |
I think you could have `xorg-server -suid` in the desktop profile, as you |
46 |
have elogingd there but on the ebuild level I'm not so sure. |
47 |
I'm not particularly against it but then should definitely come with a warning |
48 |
and it'll require users to notice the change and warning so they don't end |
49 |
up with a broken gentoo after an update. |