Should /usr/bin/Xorg (still) be setuid-root?

Andrew Lutomirski luto at mit.edu
Thu Jan 9 20:52:46 UTC 2014


On Thu, Jan 9, 2014 at 11:43 AM, Hans de Goede <hdegoede at redhat.com> wrote:
> Hi,
>
>
> On 01/09/2014 12:09 AM, Andrew Lutomirski wrote:
>>
>> On Wed, Jan 8, 2014 at 2:58 PM, Peter Hutterer <peter.hutterer at who-t.net>
>> wrote:
>>>
>>> On Wed, Jan 08, 2014 at 01:14:08PM -0800, Andrew Lutomirski wrote:
>>>>
>>>> /usr/bin/Xorg is, and has been, setuid-root just about forever.  I'm
>>>> wondering whether there's any good reason for it to remain
>>>> setuid-root.
>>>
>>>
>>> http://fedoraproject.org/wiki/Changes/XorgWithoutRootRights
>>
>>
>> This isn't actually the same thing.  That proposal suggests running
>> Xorg as a non-root user.  I'm proposing dropping the setuid bit on the
>> binary, which will have no effect on the uid of the running server.
>> (Of course, my suggestion will interact w/ that change, since the
>> process that starts Xorg will no longer be root.)
>
>
> I don't think that that will be very useful, it will likely cause more
> breakage then you think, as various display-managers may already start
> Xorg inside the user session, at which point the suid bit is needed,
> and as you already said it will break xinit and friends.

This is an empirical question :)  gdm on F20, at least, can still
switch users with the setuid bit cleared.  I'll try to test some more
display managers.

>
> Besides that almost every Fedora system already has a copy of the X
> server running as root ready to be exploited. The attack service of
> X is not its cmdline or attacks through environment settings
> (2 vectors your suggestion would close), but rather the gargantuan
> API it exposes over the X protocol itself.
>

There's currently a big attack surface if I run some daemon that gets
remotely pwned -- the attacker could start a brand new X server and
try to exploit it.  On the other hand, they'd have a much more limited
attack surface against the already running daemon, because they'll
have trouble getting past the X authentication checks.

>
>> It may be that XorgWithoutRootRights will clear the setuid bit as well,
>> though.
>
>
> Hopefully, either clear it completely or drop root rights very early
> on on startup.

I hope it clears the bit -- I really don't like the fact that 'X :1'
screws with the display.

--Andy


More information about the devel mailing list