Should /usr/bin/Xorg (still) be setuid-root?
Hans de Goede
hdegoede at redhat.com
Thu Jan 9 19:43:01 UTC 2014
On 01/09/2014 12:09 AM, Andrew Lutomirski wrote:
> On Wed, Jan 8, 2014 at 2:58 PM, Peter Hutterer <peter.hutterer at who-t.net> wrote:
>> On Wed, Jan 08, 2014 at 01:14:08PM -0800, Andrew Lutomirski wrote:
>>> /usr/bin/Xorg is, and has been, setuid-root just about forever. I'm
>>> wondering whether there's any good reason for it to remain
> This isn't actually the same thing. That proposal suggests running
> Xorg as a non-root user. I'm proposing dropping the setuid bit on the
> binary, which will have no effect on the uid of the running server.
> (Of course, my suggestion will interact w/ that change, since the
> process that starts Xorg will no longer be root.)
I don't think that that will be very useful, it will likely cause more
breakage then you think, as various display-managers may already start
Xorg inside the user session, at which point the suid bit is needed,
and as you already said it will break xinit and friends.
Besides that almost every Fedora system already has a copy of the X
server running as root ready to be exploited. The attack service of
X is not its cmdline or attacks through environment settings
(2 vectors your suggestion would close), but rather the gargantuan
API it exposes over the X protocol itself.
> It may be that XorgWithoutRootRights will clear the setuid bit as well, though.
Hopefully, either clear it completely or drop root rights very early
on on startup.
More information about the devel