On 31.12.2014 07:48, Jude Nelson wrote:

Hi,

> I think setuid combined with vdev presents an interesting possibility:
> what if we changed X from setuid-root to setuid-daemon (or
> setuid-nobody, or whatever), and used a variant of the above stanza to
> grant it access to the privileged device nodes it needs? This would
> allow X to run as a less-privileged user than even the user that started
> it, while ensuring that it can access the necessary device files. So,
> the setup would become as follows:

Actually, I think we should get rid of suid at all.

Instead have separate users for individual X displays (or "seats"),
and give these users appropriate permissions to the required devices.
Then it would be the task of the display manager (or whoever starts
the X servers) to switch to the correct UID. The same entity would
be responsible for controlling the X auth tokens and socket locations.

> It is my understanding that the advent of KMS already allows X to run
> without privileges as long as it can access the right device files

I just had a little experiment - tried to run the Xserver as an
unprivileged user (after giving him access to devices, logfiles, etc),
but still got permission denied (not for the open(), but individual
ioctl()s) and it left the tty's in broken state (console lockup when
switching there).

Linux version 3.13.0-39-generic (buildd@roseapple) (gcc version 4.8.2
(Ubuntu 4.8.2-19ubuntu1) ) #66-Ubuntu SMP Tue Oct 28 13:31:23 UTC 2014

Seems it doesn't work properly yet (at least on my kernel version)


cu
--
Enrico Weigelt,
metux IT consulting
+49-151-27565287