/usr/bin/Xorg is, and has been, setuid-root just about forever. I'm wondering whether there's any good reason for it to remain setuid-root.
Some arguments for setuid-root: - People who still use startx or similar scripts need it. - It's vaguely useful for testing xorg.conf changes.
Some arguments for clearing the setuid-root bit: - People who use display managers (i.e. almost everyone) doesn't need it to be setuid-root. - Xorg is a giant attack surface. Without setuid-root, only users sitting in front of the keyboard can try to attack it.
I suspect that most people would notice the difference if xorg-x11-server-Xorg got rid of the setuid-root bit.
Another option would be to only let users in a new xorg group run Xorg and to keep it setuid-root.
Thoughts? If people are generally in favor, I'll submit a change proposal. Despite the fact that the change would be a one-liner, it seems like a systemwide change.
(On a related note: what's the F21 change proposal submission deadline? I can't find it anywhere.)
--Andy
On Wed, Jan 08, 2014 at 01:14:08PM -0800, Andrew Lutomirski wrote:
/usr/bin/Xorg is, and has been, setuid-root just about forever. I'm wondering whether there's any good reason for it to remain setuid-root.
http://fedoraproject.org/wiki/Changes/XorgWithoutRootRights
Cheers, Peter
Some arguments for setuid-root:
- People who still use startx or similar scripts need it.
- It's vaguely useful for testing xorg.conf changes.
Some arguments for clearing the setuid-root bit:
- People who use display managers (i.e. almost everyone) doesn't need
it to be setuid-root.
- Xorg is a giant attack surface. Without setuid-root, only users
sitting in front of the keyboard can try to attack it.
I suspect that most people would notice the difference if xorg-x11-server-Xorg got rid of the setuid-root bit.
Another option would be to only let users in a new xorg group run Xorg and to keep it setuid-root.
Thoughts? If people are generally in favor, I'll submit a change proposal. Despite the fact that the change would be a one-liner, it seems like a systemwide change.
(On a related note: what's the F21 change proposal submission deadline? I can't find it anywhere.)
--Andy
devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
On Wed, Jan 8, 2014 at 2:58 PM, Peter Hutterer peter.hutterer@who-t.net wrote:
On Wed, Jan 08, 2014 at 01:14:08PM -0800, Andrew Lutomirski wrote:
/usr/bin/Xorg is, and has been, setuid-root just about forever. I'm wondering whether there's any good reason for it to remain setuid-root.
This isn't actually the same thing. That proposal suggests running Xorg as a non-root user. I'm proposing dropping the setuid bit on the binary, which will have no effect on the uid of the running server. (Of course, my suggestion will interact w/ that change, since the process that starts Xorg will no longer be root.)
It may be that XorgWithoutRootRights will clear the setuid bit as well, though.
--Andy
I could have sworn there was a more recent discussion of this, but there is at least this thread from 2009:
https://lists.fedoraproject.org/pipermail/devel/2009-August/036086.html
Also:
http://lwn.net/Articles/546537/
(discussion about the last revoke() discussion on linux-kernel).
kevin
On Wed, Jan 8, 2014 at 3:18 PM, Kevin Fenzi kevin@scrye.com wrote:
I could have sworn there was a more recent discussion of this, but there is at least this thread from 2009:
https://lists.fedoraproject.org/pipermail/devel/2009-August/036086.html
Also:
http://lwn.net/Articles/546537/
(discussion about the last revoke() discussion on linux-kernel).
*sigh*. I'm obviously being unclear.
I am *not* proposing anything related to what uid the X server runs under. I'm proposing that, when a nonroot user types "Xorg" at the terminal, they don't cause a root-privileged X server to appear.
Since I doubt that many people run Xorg directly (unless they're up to no good), this should have no observable effect.
--Andy
Hi,
On 01/09/2014 12:09 AM, Andrew Lutomirski wrote:
On Wed, Jan 8, 2014 at 2:58 PM, Peter Hutterer peter.hutterer@who-t.net wrote:
On Wed, Jan 08, 2014 at 01:14:08PM -0800, Andrew Lutomirski wrote:
/usr/bin/Xorg is, and has been, setuid-root just about forever. I'm wondering whether there's any good reason for it to remain setuid-root.
This isn't actually the same thing. That proposal suggests running Xorg as a non-root user. I'm proposing dropping the setuid bit on the binary, which will have no effect on the uid of the running server. (Of course, my suggestion will interact w/ that change, since the process that starts Xorg will no longer be root.)
I don't think that that will be very useful, it will likely cause more breakage then you think, as various display-managers may already start Xorg inside the user session, at which point the suid bit is needed, and as you already said it will break xinit and friends.
Besides that almost every Fedora system already has a copy of the X server running as root ready to be exploited. The attack service of X is not its cmdline or attacks through environment settings (2 vectors your suggestion would close), but rather the gargantuan API it exposes over the X protocol itself.
It may be that XorgWithoutRootRights will clear the setuid bit as well, though.
Hopefully, either clear it completely or drop root rights very early on on startup.
Regards,
Hans
On Wed, Jan 08, 2014 at 01:14:08PM -0800, Andrew Lutomirski wrote:
/usr/bin/Xorg is, and has been, setuid-root just about forever. I'm wondering whether there's any good reason for it to remain setuid-root.
[...]
- Xorg is a giant attack surface. Without setuid-root, only users
sitting in front of the keyboard can try to attack it.
Like, for example:
http://lists.x.org/archives/xorg-announce/2014-January/002389.html https://bugzilla.redhat.com/show_bug.cgi?id=1049569
Perhaps this is what got you thinking about this?
Thoughts? If people are generally in favor, I'll submit a change proposal. Despite the fact that the change would be a one-liner, it seems like a systemwide change. (On a related note: what's the F21 change proposal submission deadline? I can't find it anywhere.)
No deadline yet -- go for it. You might also want to check into http://fedoraproject.org/wiki/Features/RemoveSETUID, which was a partially-successful effort to use capabilities instead of setuid across the system. (See for example /usr/bin/ping.)
However, that was about reducing from full setuid to what is effectively partial setuid (and see the discussion; it's only really meaningful in some cases). Removing the setuid bit entirely is new, as far as I know.
On Wed, Jan 8, 2014 at 5:45 PM, Matthew Miller mattdm@fedoraproject.org wrote:
On Wed, Jan 08, 2014 at 01:14:08PM -0800, Andrew Lutomirski wrote:
/usr/bin/Xorg is, and has been, setuid-root just about forever. I'm wondering whether there's any good reason for it to remain setuid-root.
[...]
- Xorg is a giant attack surface. Without setuid-root, only users
sitting in front of the keyboard can try to attack it.
Like, for example:
http://lists.x.org/archives/xorg-announce/2014-January/002389.html https://bugzilla.redhat.com/show_bug.cgi?id=1049569
Perhaps this is what got you thinking about this?
Thoughts? If people are generally in favor, I'll submit a change proposal. Despite the fact that the change would be a one-liner, it seems like a systemwide change. (On a related note: what's the F21 change proposal submission deadline? I can't find it anywhere.)
No deadline yet -- go for it. You might also want to check into http://fedoraproject.org/wiki/Features/RemoveSETUID, which was a partially-successful effort to use capabilities instead of setuid across the system. (See for example /usr/bin/ping.)
However, that was about reducing from full setuid to what is effectively partial setuid (and see the discussion; it's only really meaningful in some cases). Removing the setuid bit entirely is new, as far as I know.
Here it is:
https://fedoraproject.org/wiki/Changes/NonSetuidXorg
For amusement, try ssh-ing into a Fedora box that's sitting at the gdm prompt and type 'X :1'. IMO screwing with the box like that should require some kind of privilege for users who aren't in front of the keyboard.
--Andy
-
Andrew Lutomirski -
Hans de Goede -
Kevin Fenzi -
Matthew Miller -
Peter Hutterer