Non root Xorg

This page Article description::describes how an unprivileged user can run [[Xorg without using suid.]]

The logind provider
Currently there are two logind providers in Gentoo, systemd and elogind. Users of systemd profile and users of desktop profiles (both systemd and non-systemd ones) will already have a logind interface provided; users of OpenRC with default profile will be required to globally enable the elogind USE flag and update the system with. It is also required to re-login after elogind has been enabled, to activate it. If either the systemd or elogind USE flag is enabled on together with the suid USE flag, instead of installing with suid enabled,  will be installed with suid-wrapper, which will only preserve suid if the graphics driver in use really requires root.

The elogind users are recommended to add elogind to the boot runlevel. While it is not strictly necessary, since elogind can be started upon receiving an event over dbus, it will clash with other services that depend on elogind, like fwupd, resulting in OpenRC trying to start already started elogind and thus failing to do so.

elogind service running
It is required to have elogind started in the boot runlevel so that pam_elogind can communicate with elogind daemon:

No logind provider
It is also possible to run an X server as a non- user without using a provider. The default behavior for is to find the first available virtual terminal  and to attempt to use that. This can cause issues if the is owned by, which is the default unless another user is currently logged in on it. Attempting to run at this point will cause an error similar to this:

provides a  option, where   refers to the  to use. Running  will launch  inside  which is owned by. The  argument is important since it marks the end of client arguments and the start of server options. In order to avoid having to manually specify (and remember) the currently active a line similar to the following can be added to the user's :

After re-sourcing the or logging out and logging back in, running startx will launch  in the currently active. Switching to and doing the same will launch a second instance inside that, both of which are running as.

Security issues with running xorg-server as root
Several vulnerabilities have been discovered in the X.Org X server. Missing input sanitising in X server extensions may result in local privilege escalation if the X server is configured to run with root privileges. These vulnerabilities can result in an attacker accessing confidential information as well as potentially bypassing protections provided by ASLR.

Verification
Some popular display managers (like ) don't support an unprivileged user running Xorg.

After a graphical login, the X server should not be running under root but a regular user:

Cannot start Xorg as regular user
The majority of problems with running Xorg as a user other than root after switching to elogind come down to issues with PAM. One can confirm that elogind is working by running. If elogind is running correctly, the output should look something like this:

If instead it shows an error, for example:

or if still fails, then it's worth to check:


 * Have the configuration files in /etc been updated after updating the system with the new USE flags?
 * (elogind users) Is there any trace of pam_elogind.so in ?
 * Is the dbus service running?
 * (elogind users) Is the elogind service running? (It may be desirable to run )

Framebuffer "Permission denied"
If starting as  works, but not as, and the log file mentioned in the  error contains the following line, then  cannot access the raw framebuffer device.

This can be fixed by adding to the  group. In order to apply the new permissions, must log out and log back in.

External resources

 * [//www.x.org/releases/X11R7.5/doc/man/man1/startx.1.html startx(1)], the page describing the usage of.
 * [//www.x.org/releases/X11R7.5/doc/man/man1/Xorg.1.html Xorg(1)], the page describing the usage of.