RFC: what to do with ums when the X server is not suid root ?
Hans de Goede
hdegoede at redhat.com
Mon Jan 20 09:08:01 UTC 2014
As indicated here:
I'm working on making the X server run as a regular user. I actually have this
pretty much working.
So now it is time to start looking into some of the corner cases, or rather at
the elephant in the room. What about non-kms drivers. We still have the vesa
driver around as most prominent example, and this is useful for some oddball
cards and for cards which are too new.
I would like to not break the vesa driver, while still killing the suid bit on
the X server.
I'm currently thinking about implementing the following solution:
1) Make the X server a regular binary without any special rights
2) Implement a small suid root wrapper which gets the Xorg name and
launches the real Xorg binary.
This wrapper will search for kms capable cards and if one is found drop
all root rights before executing the real Xorg binary. If no kms capable
cards are found it will execute the real Xorg binary with root rights.
3) Put this wrapper in a separate package, make it part of comps so it
will get installed by default, but don't depend on it in any packages
so that security sensitive users can simply do
"rpm -e xorg-x11-server-suid-helper"
I'm not 100% sold on my own idea yet. The whole idea of dropping the suid bit
is to remove the rather large attack surface the xserver offers. With the
helper for people running kms that attack surface is reduced to a quite small,
easily audited helper. But for people without kms nothing changes. On x86
most users will fall in the with kms category, but what about ie ARM?
More information about the devel