RFC: what to do with ums when the X server is not suid root ?

Hans de Goede hdegoede at redhat.com
Mon Jan 20 10:02:10 UTC 2014 

Hi,

On 01/20/2014 10:16 AM, Peter Robinson wrote:
>> As indicated here:
>> https://fedoraproject.org/wiki/Changes/XorgWithoutRootRights
>>
>> I'm working on making the X server run as a regular user. I actually have
>> this
>> pretty much working.
>>
>> So now it is time to start looking into some of the corner cases, or rather
>> at
>> the elephant in the room. What about non-kms drivers. We still have the vesa
>> driver around as most prominent example, and this is useful for some oddball
>> cards and for cards which are too new.
>>
>> I would like to not break the vesa driver, while still killing the suid bit
>> on
>> the X server.
>>
>> I'm currently thinking about implementing the following solution:
>>
>> 1) Make the X server a regular binary without any special rights
>>
>> 2) Implement a small suid root wrapper which gets the Xorg name and
>> launches the real Xorg binary.
>>
>> This wrapper will search for kms capable cards and if one is found drop
>> all root rights before executing the real Xorg binary. If no kms capable
>> cards are found it will execute the real Xorg binary with root rights.
>>
>> 3) Put this wrapper in a separate package, make it part of comps so it
>> will get installed by default, but don't depend on it in any packages
>> so that security sensitive users can simply do
>> "rpm -e xorg-x11-server-suid-helper"
>>
>> I'm not 100% sold on my own idea yet. The whole idea of dropping the suid
>> bit
>> is to remove the rather large attack surface the xserver offers. With the
>> helper for people running kms that attack surface is reduced to a quite
>> small,
>> easily audited helper. But for people without kms nothing changes. On x86
>> most users will fall in the with kms category, but what about ie ARM?
>
> At the moment on ARM most devices that have X use the
> xorg-x11-drv-modesetting driver which I believe uses the KMS kernel
> drivers so I'm presuming we'll be OK on that front. The other two that
> are in use are xorg-x11-drv-armsoc (currently supported via the
> DRM_EXYNOS module, in theory can support other Mali GPUs) and
> xorg-x11-drv-omap (DRM_OMAP) which I believe also use the equivalent
> KMS drivers but I might be wrong there.
>
> Moving forward I can't see any new ARM devices not supporting KMS as I
> doubt they'll get accepted into the mainline kernel without it.

So maybe we should not build, nor install, the helper for ARM at all ?

We likely either have kms or in some (respin) cases fbdev there neither
of which will need root rights.

And the same likely goes for other non x86 archs, so maybe the helper
should be an x86 only thing, for vesa (or other ums driver) support on
oddball + very new cards ?

Regards,

Hans

More information about the devel mailing list