Difference between revisions of "Non root Xorg"
Xxc3nsoredxx (talk | contribs) (Add instructions for no logind provider) |
Slashbeast (talk | contribs) (Running without logind provider and without suid also requires hakcery to allow X process to access inputs -- it is unwanted edit -- Undo revision 1044582 by Xxc3nsoredxx (talk)) Tag: Undo |
||
| Line 3: | Line 3: | ||
{{Important|The logind provider does not provide the same level of access as the legacy SUID-enabled Xorg does. The elogind provider allows a locally seated user to be granted access to $TTY and input devices. Users who wish to start X remotely will need to take extra steps to ensure that a seat is given to the user from which they start X, or stay with the legacy behaviour of X with suid.}} | {{Important|The logind provider does not provide the same level of access as the legacy SUID-enabled Xorg does. The elogind provider allows a locally seated user to be granted access to $TTY and input devices. Users who wish to start X remotely will need to take extra steps to ensure that a seat is given to the user from which they start X, or stay with the legacy behaviour of X with suid.}} | ||
| − | == | + | == Requisites == |
=== The logind provider === | === The logind provider === | ||
| Line 17: | Line 17: | ||
{{RootCmd|rc-update add elogind boot}} | {{RootCmd|rc-update add elogind boot}} | ||
{{RootCmd|/etc/init.d/elogind start}} | {{RootCmd|/etc/init.d/elogind start}} | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
== Security issues with running xorg-server as root == | == Security issues with running xorg-server as root == | ||
| Line 123: | Line 94: | ||
* {{See also|Xorg}} | * {{See also|Xorg}} | ||
* {{See also|X server}} | * {{See also|X server}} | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
== References == | == References == | ||
Revision as of 15:34, 24 January 2022
This page describes how an unprivileged user can run Xorg without using suid.
The logind provider does not provide the same level of access as the legacy SUID-enabled Xorg does. The elogind provider allows a locally seated user to be granted access to $TTY and input devices. Users who wish to start X remotely will need to take extra steps to ensure that a seat is given to the user from which they start X, or stay with the legacy behaviour of X with suid.
Requisites
The logind provider
Currently there are two logind providers in Gentoo, systemd and elogind. Users of systemd profile and users of desktop profiles (both systemd and non-systemd ones) will already have a logind interface provided; users of OpenRC with default profile will be required to globally enable the elogind USE flag and update the system with emerge -ND @world. It is also required to re-login after elogind has been enabled, to activate it. If either the systemd or elogind USE flag is enabled on x11-base/xorg-server together with the suid USE flag, instead of installing with suid enabled, x11-base/xorg-server will be installed with suid-wrapper, which will only preserve suid if the graphics driver in use really requires root.
The elogind users are recommended to add elogind to the boot runlevel. While it is not strictly necessary, since elogind can be started upon receiving an event over dbus, it will clash with other services that depend on elogind, like fwupd, resulting in OpenRC trying to start already started elogind and thus failing to do so.
elogind service running
It is required to have elogind started in the boot runlevel so that pam_elogind can communicate with elogind daemon:
root #rc-update add elogind bootroot #/etc/init.d/elogind startSecurity issues with running xorg-server as root
Several vulnerabilities have been discovered in the X.Org X server. Missing input sanitising in X server extensions may result in local privilege escalation if the X server is configured to run with root privileges.[1] These vulnerabilities can result in an attacker accessing confidential information[2] as well as potentially bypassing protections provided by ASLR.[3]
Debian documentation and other online publications released after January 25, 2012 are under the MIT (Expat) License. [4][5]
Verification
Some popular display managers (like x11-misc/lightdm[6]) don't support an unprivileged user running Xorg.
After a graphical login, the X server should not be running under root but a regular user:
user $ps -fC XUID PID PPID C STIME TTY TIME CMD larry 712 711 3 14:56 tty1 00:02:20 /usr/bin/X -nolisten tcp -keeptty :0
Troubleshooting
Cannot start Xorg as regular user
The majority of problems with running Xorg as a user other than root after switching to elogind come down to issues with PAM. One can confirm that elogind is working by running loginctl user-status. If elogind is running correctly, the output should look something like this:
user $loginctl user-status
user (1000)
Since: Tue 2020-10-13 12:03:02 CDT; 2h 16min ago
State: active
Sessions: *1
Linger: no
Unit: user-1000.slice
If instead it shows an error, for example:
user $loginctl user-status
Failed to create bus connection: No such file or directory
or if startx still fails, then it's worth to check:
- Have the configuration files in /etc been updated after updating the system with the new USE flags? (dispatch-conf)
- (elogind users) Is there any trace of pam_elogind.so in /etc/pam.d/system-auth?
- Is the dbus service running?
- (elogind users) Is the elogind service running? (It may be desirable to run rc-update add elogind boot)
Framebuffer "Permission denied"
If starting Xorg as root works, but not as user, and the log file mentioned in the startx error contains the following line, then user cannot access the raw framebuffer device.
Xorg.0.log'"`UNIQ--pre-0000000C-QINU`"'
This can be fixed by adding user to the video group. In order to apply the new permissions, user must log out and log back in.
root #ls -l /dev/fb0
crw-rw----. 1 root video 29, 0 Apr 26 19:39 /dev/fb0
root #usermod -a -G video user
See also
- Xorg — an open source implementation of the X server.
- X server — the main component of the X Window system which abstracts the hardware and provides the foundation for most graphical user interfaces, like desktop environments or window managers, and their applications.
References
- ↑ "DSA-4758-1 xorg-server -- security update" Archived from "the original".
- ↑ "CVE-2020-14345". Archived from "the original".
- ↑ "CVE-2020-14347". Archived from "the original".
- ↑ The license information for Debian WWW Pages can be found "here". Archived from "the original".
- ↑ The MIT (Expat) License can be found "here". Archived from "the original".
- ↑ Support non-root X · Issue #18 · canonical/lightdm · GitHub, May 14th, 2018. Retrieved on January 17th, 2021