Non root Xorg

This guide Article description::provides instructions on running an X server with standard user account (non-root) permissions.

Requisites
The  USE flag must be unset for package.

To unset the USE flag for package versions that set it by default, /etc/portage/package.use can be used:

If x11-base/xorg-server was installed with  set, it must be reinstalled after unsetting the USE flag:

Privileged operations
Running Xorg as an unprivileged process requires dealing with a set of operations that can only be carried out with appropriate privileges:


 * Video cards: X11 video drivers need the opening for reading and writing of character special files that represent video cards (e.g. ), which requires an effective user and/or group that has the required permissions. DRM drivers also need at certain times that a  ioctl or a   ioctl be performed (using the Linux   system call) with the file descriptor that corresponds to the file, which requires   capability.
 * Input devices: X11 input drivers need the opening for reading and writing of character special files that represent input devices (e.g. ), which requires an effective user and/or group that has the required permissions.
 * Virtual terminals: Xorg needs a kernel virtual terminal. To take an unused virtual terminal, a character special file has to be opened for reading and writing, which requires an effective user and/or group that has the required permissions.

All possible setups must provide a way to have these operations performed.

Supported setups
Upstream's officially supported setup requires running a logind provider. Program is the logind provider for Gentoo with systemd, and elogind is available as a logind provider for Gentoo with other init systems.

The logind provider is a daemon that Xorg communicates with using the D-Bus protocol, and that performs all needed privileged operations on its behalf. The functionality is enabled by installing package with the   USE flag set for, or with the   USE flag set for , and is supported by recent versions of at least video driver packages ,  and , the  driver supplied by the x11-base/xorg-server package, and input driver packages  and.

When using this setup:


 * 1) The logind provider assigns the computer's devices to different seats, using information gathered from udev.
 * 2) The logind provider's PAM module ( for, and  for ) creates sessions for logged in users by sending a D-Bus METHOD_CALL message to the logind provider, specifying the   method of the  interface. Processes launched by, or on behalf of, logged in users are assigned to their corresponding session with the help of Linux cgroups, and every session is associated with a seat.
 * 3) At program startup, Xorg connects to the UNIX domain socket of the daemon that implements the system-wide message bus ( for package ).
 * 4) Xorg determines the session it belongs to, by sending a D-Bus METHOD_CALL message to the logind provider, specifying the   method of the  interface.
 * 5) Xorg tries to take exclusive managed device access-control for its session, by sending a D-Bus METHOD_CALL message to the logind provider, specifying the   method of the  interface, and the object path of the object that corresponds to the session ( ).
 * 6) Xorg requests the logind provider file descriptors for each character special files it needs to read from and write to, by sending a D-Bus METHOD_CALL message, specifying the   method of the  interface, the object path of the object that corresponds to the session, and the file's major and minor device numbers. The logind provider grants the request only for files that correspond to devices assigned to the session's seat, and, for DRM devices, performs the   ioctl. Xorg gets the file descriptors from the bus daemon's UNIX domain socket via file descriptor passing (  control messages sent as ancillary data with a POSIX   call).

This setup also requires that the Xorg process have its standard input, output or error redirected to the virtual terminal it should use, to avoid opening a file. The logind provider's PAM module (via the XDG_VTNR environment variable) and Gentoo's default file already take care of this for users that launch Xorg with the  script.

Handling of input devices and video cards
Gentoo's standard udev setup sets the group of character special files that correspond to devices from the input and drm subsystems to (associated with acct-group category package ) and  (associated with acct-group category package ), respectively.

Therefore, an Xorg process that runs with its effective user ID set to that of the logged in user can be allowed to open those files, by adding those groups to the user's supplementary groups:

Where   is the name of that user's account. Logging out and then back in is necessary for the changes to take effect if the user was already logged in.

Security concerns for input devices
For multiuser or, especially, multiseat systems, allowing users to access input devices by being members of the group, makes it trivially possible to snoop on the input of another active user, or to run a background job capable of snooping on the input of a future logged in user. For such systems, it's likely better to choose different solution.

Avoiding the addition of users to the input group
Setting the set-group-ID on execution file mode bit for the binary and changing its group can allow it to access input devices without adding users to the  group.

First, change the group of the binary to :

Then, change its file permissions:

Users still need to be members of the group, to allow Xorg to access video cards:

Where   is the name of the user's account.

Handling of DRM ioctls
No management of group membership can grant the  capability needed to perform the DRM ioctls. However, a simple program named has been made available in GitHub, which must be installed with the set-user-ID on execution file mode bit set (i.e.  would show   or  ), and can perform   calls on behalf of other processes, with the help of  (from package ). The program gets open file descriptors for character special files from a UNIX domain socket via file descriptor passing ( control messages sent as ancillary data with a POSIX   call), and command-line options specify the requested ioctl. Several ebuilds suitable for a custom repository are available for the package in the Gentoo Forums

Patches are available for making the,  and  X.Org video drivers work with. The ebuilds for their corresponding packages (, and, respectively) can apply them as user patches in the usual way.

Handling of kernel virtual terminals
To prevent Xorg from opening files to take an unused kernel virtual terminal, it must be invoked with a  argument that matches the virtual terminal its standard input, output or error is redirected to. When using, X server options can be passed in the command line after a "--" marker (two consecutive dashes).

For example, for a user is logged in on :