On 170917-21:39+0100, Antony Stone wrote:
> On Sunday 17 September 2017 at 21:30:16, Adam Borowski wrote:
>
> > With KVM, there's no need for X to run as root.
>
> I don't see the connection between these two - are you talking about the
> virtualisation framework and the graphical windowing environment?
>
> Unless I've got my abbreviations screwed up, please elaborate on your comment?
...
> Antony.
Here's a paste, verbatim, a little abbreviated:
Date: Fri, 23 Jun 2017 23:27:11 +0000 (UTC)
From root@localdomain Fri Jun 23 23:27:12 2017
From: root <root@localdomain>
To: root@localdomain
Subject: apt-listchanges: news for gdOv
xorg-server (2:1.18.3-2) unstable; urgency=medium
...
xorg-server (2:1.17.3-1) unstable; urgency=medium
The Xorg server is no longer setuid root by default. This change reduces the
risk of privilege escalation due to X server bugs, but has some side effects:
* it relies on logind and libpam-systemd
* it relies on a kernel video driver (so the userspace component doesn't
touch the hardware directly)
* it needs X to run on the virtual console (VT) it was started from
* it changes the location for storing the Xorg log from /var/log/ to
~/.local/share/xorg/
On systems where those are not available, the new xserver-xorg-legacy package
is needed to allow X to run with elevated privileges. See the
Xwrapper.config(5) manual page for configuration details.
-- Julien Cristau <jcristau@???> Tue, 27 Oct 2015 22:54:11 +0000
End of paste.
I just couldn't get my (now AMD) ATI-cards to work without xserver-xorg-legacy,
i.e. without sticking, as fsmithred writes in his replies to this very topic
(citation manual):
> - install xserver-xorg-legacy
> - [if no display manager] add needs_root_rights=yes to
> /etc/X11/Xwrapper.config
And it does mean running Xorg as root! And it is vulnerable, like Adam Borowski
suggests!
Here's what masters of Linux security like no others (spender and PaX Team)
stuck in the help for:
( a complete paste but unicode drawing chars replace with some ascii poor
replacement, out of concern for mail agents/web representing those poorly )
.config - Linux/x86 4.9.50 Kernel Configuration
> Security options > Grsecurity > Customize Configuration > Memory Protections --------
.--------------------------------- Disable privileged I/O ---------------------------.
| CONFIG_GRKERNSEC_IO: |
| |
| If you say Y here, all ioperm and iopl calls will return an error. |
| Ioperm and iopl can be used to modify the running kernel. |
| Unfortunately, some programs need this access to operate properly, |
| the most notable of which are XFree86 and hwclock. hwclock can be |
| remedied by having RTC support in the kernel, so real-time |
| clock support is enabled if this option is enabled, to ensure |
| that hwclock operates correctly. If hwclock still does not work, |
| either update udev or symlink /dev/rtc to /dev/rtc0. |
| |
| If you're using XFree86 or a version of Xorg from 2012 or earlier, |
| you may not be able to boot into a graphical environment with this |
| option enabled. In this case, you should use the RBAC system instead. |
| |
| Symbol: GRKERNSEC_IO [=n] |
| Type : boolean |
| Prompt: Disable privileged I/O |
| Location: |
| -> Security options |
| -> Grsecurity |
| -> Grsecurity (GRKERNSEC [=y]) |
| -> Customize Configuration |
| -> Memory Protections |
| Defined at grsecurity/Kconfig:44 |
| Depends on: GRKERNSEC [=y] && X86 [=y] |
| Selects: RTC_CLASS [=y] && RTC_INTF_DEV [=y] && RTC_DRV_CMOS [=y] |
.-----------------------------------------------------------------------------( 99%)-.
| < Exit > |
.------------------------------------------------------------------------------------.
I could only start Xorg after I disabled GRKERNSEC_IO, as shown above:
Symbol: GRKERNSEC_IO [=n]
And it does run as root!... I saw it in the logs (and grsecurity feature
exec_logging, which is as good in minipli's unofficial grsecurity (read further
below) as ever! grsecurity logs it running as 1000/0, where 1000 being me, the
normal user, and 0 being, of course, root)... It does run as root!... Bad!
This post has the talk (and it was fsmithred who made it plain to me legacy was
often the sole option):
xserver no start w/ ATI(AMD) card, xserver-org 1.19.3-1 [PARTLY SOLVED
https://dev1galaxy.org/viewtopic.php?id=781
---
BTW, if I may ask here for an issue that I posted about on dev1galaxy:
Strange Bash under grsecurity's exec logging
https://dev1galaxy.org/viewtopic.php?id=1598
(which would be too long to explain, summary too difficult in few words)
But does anybody have a clue what those strange exec frenzy there are about?
Puzzling me to biwilderment!
But also I posted useful (I hope) posts these days about grsecurity which is
being developed fine (parazyd also contribuing) at:
Grsecurity/Pax installation on Devuan GNU/Linux
https://dev1galaxy.org/viewtopic.php?id=596
---
Ah, and I almost forgot... The useful trick that allowed me to transition from
pretty much Stretch (started as Devuan Jessie, but for missing FFmpeg,
MPlayer/Mencoder I built on from Stretch) back over to Devuan Ascii, which is
running just fine in all my machines for months now (having Svante's OpenRC and
enjoying it :) ).
The useful trick is the Svante's/Katolaz's one from months ago now. But read at:
[Solved] Conversion from Debian Stretch to Devuan Ascii
https://dev1galaxy.org/viewtopic.php?id=662
I'm currently moderated. Without making for an (unknown duration) wait, maybe
some of you can reply with full quote of my email, maybe by sending a fully
forwarded email of mine? Thanks!
Regards!
--
Miroslav Rovis
Zagreb, Croatia
https://www.CroatiaFidelis.hr