Should /usr/bin/Xorg (still) be setuid-root?
Peter Hutterer
peter.hutterer at who-t.net
Wed Jan 8 22:58:00 UTC 2014
On Wed, Jan 08, 2014 at 01:14:08PM -0800, Andrew Lutomirski wrote:
> /usr/bin/Xorg is, and has been, setuid-root just about forever. I'm
> wondering whether there's any good reason for it to remain
> setuid-root.
http://fedoraproject.org/wiki/Changes/XorgWithoutRootRights
Cheers,
Peter
>
> Some arguments for setuid-root:
> - People who still use startx or similar scripts need it.
> - It's vaguely useful for testing xorg.conf changes.
>
> Some arguments for clearing the setuid-root bit:
> - People who use display managers (i.e. almost everyone) doesn't need
> it to be setuid-root.
> - Xorg is a giant attack surface. Without setuid-root, only users
> sitting in front of the keyboard can try to attack it.
>
> I suspect that most people would notice the difference if
> xorg-x11-server-Xorg got rid of the setuid-root bit.
>
> Another option would be to only let users in a new xorg group run Xorg
> and to keep it setuid-root.
>
> Thoughts? If people are generally in favor, I'll submit a change
> proposal. Despite the fact that the change would be a one-liner, it
> seems like a systemwide change.
>
> (On a related note: what's the F21 change proposal submission
> deadline? I can't find it anywhere.)
>
> --Andy
> --
> devel mailing list
> devel at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
>
More information about the devel
mailing list