Should /usr/bin/Xorg (still) be setuid-root?

Andrew Lutomirski luto at mit.edu
Thu Jan 9 02:21:38 UTC 2014


On Wed, Jan 8, 2014 at 5:45 PM, Matthew Miller <mattdm at fedoraproject.org> wrote:
> On Wed, Jan 08, 2014 at 01:14:08PM -0800, Andrew Lutomirski wrote:
>> /usr/bin/Xorg is, and has been, setuid-root just about forever.  I'm
>> wondering whether there's any good reason for it to remain
>> setuid-root.
> [...]
>>  - Xorg is a giant attack surface.  Without setuid-root, only users
>> sitting in front of the keyboard can try to attack it.
>
> Like, for example:
>
>   http://lists.x.org/archives/xorg-announce/2014-January/002389.html
>   https://bugzilla.redhat.com/show_bug.cgi?id=1049569
>
> Perhaps this is what got you thinking about this?
>
>> Thoughts?  If people are generally in favor, I'll submit a change
>> proposal.  Despite the fact that the change would be a one-liner, it
>> seems like a systemwide change.
>> (On a related note: what's the F21 change proposal submission
>> deadline?  I can't find it anywhere.)
>
> No deadline yet -- go for it. You might also want to check into
> http://fedoraproject.org/wiki/Features/RemoveSETUID, which was a
> partially-successful effort to use capabilities instead of setuid across
> the system. (See for example /usr/bin/ping.)
>
> However, that was about reducing from full setuid to what is effectively
> partial setuid (and see the discussion; it's only really meaningful in some
> cases). Removing the setuid bit entirely is new, as far as I know.

Here it is:

https://fedoraproject.org/wiki/Changes/NonSetuidXorg

For amusement, try ssh-ing into a Fedora box that's sitting at the gdm
prompt and type 'X :1'.  IMO screwing with the box like that should
require some kind of privilege for users who aren't in front of the
keyboard.

--Andy


More information about the devel mailing list