| 1 |
[2020-05-25 23:41:23+0200] Piotr Karbowski: |
| 2 |
> There are 3 common ways the xorg-server is started: |
| 3 |
> |
| 4 |
> - via XDM of some sort, usually forked as root, does not require suid, |
| 5 |
> systemd or elogind. |
| 6 |
|
| 7 |
Launching X as root and having it be suid is quite the same thing… |
| 8 |
|
| 9 |
> - via better XDM that can into logind interface, started as regular user |
| 10 |
> thanks to logind interface provided by either systemd or elogind. |
| 11 |
> - via `startx`, if systemd or elogind are present, can work without |
| 12 |
> suid, without them, suid is required. |
| 13 |
|
| 14 |
btw I tried startx without suid a while ago, you can start it with your user |
| 15 |
in the right groups (input, video), which means that now every program that |
| 16 |
you run can snoop input devices and mess with your video outputs. |
| 17 |
And X couldn't properly manage DRM master control because you could set |
| 18 |
the DRM master but not drop it (kernel bug but "linux maintains bugs" and |
| 19 |
there is no capabilities to fix it, which could allow to avoid extra groups). |
| 20 |
|
| 21 |
I don't have something like elogind and likely will not as last time I looked |
| 22 |
at how it worked, it felt like reading about an unstable backdoor more than |
| 23 |
anything else. I'd rather have proper permissions in the kernel. |
| 24 |
|
| 25 |
> Flipping current '+suid (-)elogind' as *default* USE flags on ebuild |
| 26 |
> level into '+elogind (-)suid' will not affect first two use cases, and |
| 27 |
> affect only 3rd one if neither systemd is used, or elogind is enabled. |
| 28 |
> |
| 29 |
> What I'd like to go with is to enable elogind and disable suid on ebuild |
| 30 |
> level. The systemd profiles have use.mask for elogind, meaning it's not |
| 31 |
> a problem for them. and those who do not want to use any logind provider |
| 32 |
> can still opt-out out of it and go back to use suid. It shouldn't really |
| 33 |
> affect most of the users in any negative way, if anything, it will make |
| 34 |
> more users to not run Xorg as root, which is a positive aspect. |
| 35 |
> |
| 36 |
> The alternative way would be to enable elogind on default profile, |
| 37 |
> however it would also affect those who run headless Gentoo, of which a |
| 38 |
> lot refuse to use any login manager. |
| 39 |
> |
| 40 |
> So, dear people of Gentoo, what do you think about turning the current |
| 41 |
> possible opt-out of Xorg as root into possible opt-in for running Xorg |
| 42 |
> as root? People still will have a choice, just the defaults will be more |
| 43 |
> sane. |
| 44 |
|
| 45 |
I think you could have `xorg-server -suid` in the desktop profile, as you |
| 46 |
have elogingd there but on the ebuild level I'm not so sure. |
| 47 |
I'm not particularly against it but then should definitely come with a warning |
| 48 |
and it'll require users to notice the change and warning so they don't end |
| 49 |
up with a broken gentoo after an update. |
Archives