Non root Xorg
This guide provides instructions on running an X server with standard user account (non-root) permissions.
This has been successfully tested using Nouveau and Intel drivers. Note: configurations using Intel modesetting drivers provided via Mesa (e.g. for the
i965 chipset), may not operate properly.
Some of this support is relatively recent, and it may be necessary to install unstable packages. If it fails to work with stable, keywording certain packages may be necessary.
x11-base/xorg-server x11-base/xorg-drivers x11-drivers/xf86-input-keyboard x11-drivers/xf86-input-mouse x11-drivers/xf86-input-evdev # Select from the following based on your video hardware, both may be needed for multi-GPU systems. x11-drivers/xf86-video-nouveau x11-drivers/xf86-video-intel
suid USE flag and rebuild Xorg:
emerge --update --deep --newuse --verbose --ask x11-base/xorg-server
Making necessary changes to system
Now you can run X as user, however because none of login managers are currently capable of doing necessary permission handling it needs some workarounds. In particular, X run by user needs to be able to access /dev/input files and it needs to be started directly as the user. Additionally, as with using direct rendering, the unprivileged user also needs access to the video hardware, typically achieved by adding them to the video group (though certain login managers, such as ConsoleKit or systemd-logind may handle this for you).
To access /dev/input files it's easiest to add them to group and allow user to access them.
The input group and udev rules may already exist on many Gentoo systems. If they exist for you, you may skip the steps before adding your user to the necessary groups.
Create udev rule to change /dev/input group on boot:
SUBSYSTEM=="input", ACTION=="add", GROUP="input"
Reload udev rules to get the new permissions
This may interfere with your input devices on the current
And finally, add your user to the necessary groups:
usermod -a -G input,video user
Log out and log back in (for the permissions changes to take effect), and then start X by running:
startx -- vt1
If logged in on
vt2, and so on.
X should now be running as an unprivileged user.
Running X as a normal user is generally a positive step for security, with the exception of multiuser or, especially, multiseat systems. With the direct access to input devices by the user, it becomes trivially possible to snoop on the input of another active user or run a background job to snoop on the input of a future user of the system. For such systems, it's likely better to choose a solution other than running X as the logged-in user (such as using setuid with a dedicated, unprivileged user or using setgid for the input group).
In this section we will detail "setgid" mentioned above.
The objective is to run X as an unprivileged user without adding a user to the input group. This can prevent user from accidentally or intentionally snooping on the input.
To achieve this goal we make use of setgid so that when a user starts X, the X server will be automatically granted permission to access input devices.
Change the ownership of /usr/bin/Xorg:
chown -v :input /usr/bin/Xorg
Change the file permission of /usr/bin/Xorg:
chmod -v g+s /usr/bin/Xorg
Now the user is not required to be in the input group to run X server. To remove the user from input group:
gpasswd -d user input
But the user still needs to be in the video group:
usermod -a -G video user
Now start X as a regular user (see above) and X server should function well.
- startx fails with xorg-server 1.20 [Solved, with conditions] (https://forums.gentoo.org/viewtopic-p-8277722.html)