Should /usr/bin/Xorg (still) be setuid-root?

Andrew Lutomirski luto at
Thu Jan 9 02:21:38 UTC 2014

On Wed, Jan 8, 2014 at 5:45 PM, Matthew Miller <mattdm at> wrote:
> On Wed, Jan 08, 2014 at 01:14:08PM -0800, Andrew Lutomirski wrote:
>> /usr/bin/Xorg is, and has been, setuid-root just about forever.  I'm
>> wondering whether there's any good reason for it to remain
>> setuid-root.
> [...]
>>  - Xorg is a giant attack surface.  Without setuid-root, only users
>> sitting in front of the keyboard can try to attack it.
> Like, for example:
> Perhaps this is what got you thinking about this?
>> Thoughts?  If people are generally in favor, I'll submit a change
>> proposal.  Despite the fact that the change would be a one-liner, it
>> seems like a systemwide change.
>> (On a related note: what's the F21 change proposal submission
>> deadline?  I can't find it anywhere.)
> No deadline yet -- go for it. You might also want to check into
>, which was a
> partially-successful effort to use capabilities instead of setuid across
> the system. (See for example /usr/bin/ping.)
> However, that was about reducing from full setuid to what is effectively
> partial setuid (and see the discussion; it's only really meaningful in some
> cases). Removing the setuid bit entirely is new, as far as I know.

Here it is:

For amusement, try ssh-ing into a Fedora box that's sitting at the gdm
prompt and type 'X :1'.  IMO screwing with the box like that should
require some kind of privilege for users who aren't in front of the


More information about the devel mailing list