On Thu, Jan 9, 2014 at 11:43 AM, Hans de Goede <hdegoede(a)redhat.com> wrote:
Hi,
On 01/09/2014 12:09 AM, Andrew Lutomirski wrote:
>
> On Wed, Jan 8, 2014 at 2:58 PM, Peter Hutterer <peter.hutterer(a)who-t.net>
> wrote:
>>
>> On Wed, Jan 08, 2014 at 01:14:08PM -0800, Andrew Lutomirski wrote:
>>>
>>> /usr/bin/Xorg is, and has been, setuid-root just about forever. I'm
>>> wondering whether there's any good reason for it to remain
>>> setuid-root.
>>
>>
>>
http://fedoraproject.org/wiki/Changes/XorgWithoutRootRights
>
>
> This isn't actually the same thing. That proposal suggests running
> Xorg as a non-root user. I'm proposing dropping the setuid bit on the
> binary, which will have no effect on the uid of the running server.
> (Of course, my suggestion will interact w/ that change, since the
> process that starts Xorg will no longer be root.)
I don't think that that will be very useful, it will likely cause more
breakage then you think, as various display-managers may already start
Xorg inside the user session, at which point the suid bit is needed,
and as you already said it will break xinit and friends.
This is an empirical question :) gdm on F20, at least, can still
switch users with the setuid bit cleared. I'll try to test some more
display managers.
Besides that almost every Fedora system already has a copy of the X
server running as root ready to be exploited. The attack service of
X is not its cmdline or attacks through environment settings
(2 vectors your suggestion would close), but rather the gargantuan
API it exposes over the X protocol itself.
There's currently a big attack surface if I run some daemon that gets
remotely pwned -- the attacker could start a brand new X server and
try to exploit it. On the other hand, they'd have a much more limited
attack surface against the already running daemon, because they'll
have trouble getting past the X authentication checks.
> It may be that XorgWithoutRootRights will clear the setuid bit as well,
> though.
Hopefully, either clear it completely or drop root rights very early
on on startup.
I hope it clears the bit -- I really don't like the fact that 'X :1'
screws with the display.
--Andy