Non root Xorg

From Gentoo Wiki
Jump to: navigation, search

This guide provides instructions on running an X server with standard user account (non-root) permissions.

This has been successfully tested using Nouveau and Intel drivers. Note: configurations using Intel modesetting drivers provided via Mesa (e.g. for the i965 chipset), may not operate properly.[1]

Additional prerequisites

 As of Nov. 6, 2018, the information in this section is probably outdated. You can help the Gentoo community by verifying and updating this section.

Some of this support is relatively recent, and it may be necessary to install unstable packages. If it fails to work with stable, keywording certain packages may be necessary.

FILE /etc/portage/package.keywords
# Select from the following based on your video hardware, both may be needed for multi-GPU systems.

Rebuilding Xorg

Disable suid USE flag and rebuild Xorg:

FILE /etc/portage/package.use
x11-base/xorg-server -suid
root #emerge --update --deep --newuse --verbose --ask x11-base/xorg-server

Making necessary changes to system

Now you can run X as user, however because none of login managers are currently capable of doing necessary permission handling it needs some workarounds. In particular, X run by user needs to be able to access /dev/input files and it needs to be started directly as the user. Additionally, as with using direct rendering, the unprivileged user also needs access to the video hardware, typically achieved by adding them to the video group (though certain login managers, such as ConsoleKit or systemd-logind may handle this for you).

To access /dev/input files it's easiest to add them to group and allow user to access them.

The input group and udev rules may already exist on many Gentoo systems. If they exist for you, you may skip the steps before adding your user to the necessary groups.
root #groupadd input

Create udev rule to change /dev/input group on boot:

FILE /etc/udev/rules.d/99-dev-input-group.rules
SUBSYSTEM=="input", ACTION=="add", GROUP="input"

Reload udev rules to get the new permissions

This may interfere with your input devices on the current vty
root #/etc/init.d/udev reload

And finally, add your user to the necessary groups:

root #usermod -a -G input,video user

Log out and log back in (for the permissions changes to take effect), and then start X by running:

user $startx -- vt1

If logged in on tty1 use vt1; on tty2 use vt2, and so on.

X should now be running as an unprivileged user.

Security concerns

Running X as a normal user is generally a positive step for security, with the exception of multiuser or, especially, multiseat systems. With the direct access to input devices by the user, it becomes trivially possible to snoop on the input of another active user or run a background job to snoop on the input of a future user of the system. For such systems, it's likely better to choose a solution other than running X as the logged-in user (such as using setuid with a dedicated, unprivileged user or using setgid for the input group).

Alternative method

In this section we will detail "setgid" mentioned above.

The objective is to run X as an unprivileged user without adding a user to the input group. This can prevent user from accidentally or intentionally snooping on the input.

To achieve this goal we make use of setgid so that when a user starts X, the X server will be automatically granted permission to access input devices.

Change the ownership of /usr/bin/Xorg:

root #chown -v :input /usr/bin/Xorg

Change the file permission of /usr/bin/Xorg:

root #chmod -v g+s /usr/bin/Xorg

Now the user is not required to be in the input group to run X server. To remove the user from input group:

root #gpasswd -d user input

But the user still needs to be in the video group:

root #usermod -a -G video user

Now start X as a regular user (see above) and X server should function well.


  1. startx fails with xorg-server 1.20 [Solved, with conditions] (