RFC: what to do with ums when the X server is not suid root ?

Peter Robinson pbrobinson at gmail.com
Mon Jan 20 09:16:14 UTC 2014 

> As indicated here:
> https://fedoraproject.org/wiki/Changes/XorgWithoutRootRights
>
> I'm working on making the X server run as a regular user. I actually have
> this
> pretty much working.
>
> So now it is time to start looking into some of the corner cases, or rather
> at
> the elephant in the room. What about non-kms drivers. We still have the vesa
> driver around as most prominent example, and this is useful for some oddball
> cards and for cards which are too new.
>
> I would like to not break the vesa driver, while still killing the suid bit
> on
> the X server.
>
> I'm currently thinking about implementing the following solution:
>
> 1) Make the X server a regular binary without any special rights
>
> 2) Implement a small suid root wrapper which gets the Xorg name and
> launches the real Xorg binary.
>
> This wrapper will search for kms capable cards and if one is found drop
> all root rights before executing the real Xorg binary. If no kms capable
> cards are found it will execute the real Xorg binary with root rights.
>
> 3) Put this wrapper in a separate package, make it part of comps so it
> will get installed by default, but don't depend on it in any packages
> so that security sensitive users can simply do
> "rpm -e xorg-x11-server-suid-helper"
>
> I'm not 100% sold on my own idea yet. The whole idea of dropping the suid
> bit
> is to remove the rather large attack surface the xserver offers. With the
> helper for people running kms that attack surface is reduced to a quite
> small,
> easily audited helper. But for people without kms nothing changes. On x86
> most users will fall in the with kms category, but what about ie ARM?

At the moment on ARM most devices that have X use the
xorg-x11-drv-modesetting driver which I believe uses the KMS kernel
drivers so I'm presuming we'll be OK on that front. The other two that
are in use are xorg-x11-drv-armsoc (currently supported via the
DRM_EXYNOS module, in theory can support other Mali GPUs) and
xorg-x11-drv-omap (DRM_OMAP) which I believe also use the equivalent
KMS drivers but I might be wrong there.

Moving forward I can't see any new ARM devices not supporting KMS as I
doubt they'll get accepted into the mainline kernel without it.

Peter

More information about the devel mailing list