On 2020-09-22 11:10, Steve Litt wrote:
> Second, a more security-respecting solution is there might be a group,
> which your users can belong, that allows them to run X. Perhaps
> group video ??? I just looked at /usr/bin/Xorg on my Void box and it's
> not suid anything. I performed some ls commands that show no suid
> owner, group or everyone that pertain to X:
Unfortunately, I don't think this will help.
The problem is not just file system accesses, but specialized ioctl
system calls, which are reserved for root. They were supposed to be
cleaned up with the switch to kernel side modesetting (KMS), but some
remain. And to make this even more opaque and frustrating, this depends
on the driver used, hence on the hardware.
This is the only reason why I use xdm. I feel that between xdm and a
setuid Xorg, the former is the lesser evil when configured right,
ie. listening only on a unix socket.
This (longish) sub-thread from my gentoo days may be relevant:
https://archives.gentoo.org/gentoo-user/message/15777398d780425417e5f5414dc903c1
--
Ian