|
|
Subscribe / Log in / New account

An ancient kernel hole is closed

An ancient kernel hole is closed

Posted Aug 18, 2010 23:07 UTC (Wed) by einstein (subscriber, #2052)
Parent article: An ancient kernel hole is closed

All the more reason for making the X server run as non-root.

to post comments

An ancient kernel hole is closed

Posted Aug 18, 2010 23:12 UTC (Wed) by arjan (subscriber, #36785) [Link] (4 responses)

Various distributions (MeeGo at least) already does this....

ask your own distro why they don't do this yet I suppose...

An ancient kernel hole is closed

Posted Aug 18, 2010 23:32 UTC (Wed) by cesarb (subscriber, #6266) [Link]

Probably because of legacy drivers which do not use kernel modesetting, or to be able to use X with kernel modesetting disabled (for the drivers which can run either with or without kernel modesetting).

I wonder which restrictions xserver_t has on selinux. If it is restricted enough, it is possible that, even if you can inject code on Xorg running as root, you cannot do much without having to first do DMA tricks to break out of it.

It might be an interesting exercise to make Xorg drop even more permissions (by changing for instance to a xserver_kms_t which cannot touch the hardware) when kernel modesetting is enabled (while keeping the ability to run without kernel modesetting by simply not dropping the extra permissions).

An ancient kernel hole is closed

Posted Aug 19, 2010 0:12 UTC (Thu) by HelloWorld (guest, #56129) [Link] (1 responses)

As far as I know, rootless X requires kernel mode setting, which causes all kinds of breakage on my system at least (e. g. suspend-to-ram doesn't work any longer, xvideo breaks, 3D performance is absymal).

An ancient kernel hole is closed

Posted Aug 19, 2010 8:45 UTC (Thu) by epa (subscriber, #39769) [Link]

For a moment there I thought 'rootless X' must refer to running the X server without a root window - as commonly done with X servers such as Xming on Microsoft Windows. But you meant 'running the X server as a non-root user'.

An ancient kernel hole is closed

Posted Aug 19, 2010 22:26 UTC (Thu) by nix (subscriber, #2304) [Link]

The lack of any way to revoke() other users of the input devices, I understand.

An ancient kernel hole is closed

Posted Aug 20, 2010 0:11 UTC (Fri) by cmccabe (guest, #60281) [Link] (1 responses)

> All the more reason for making the X server run as non-root.

OpenBSD uses privilege separation in its port of X.org.

I wonder if, with kernel modesetting, a totally non-root X.org will ever be possible. Or an selinux-sandboxed one, for that matter.

An ancient kernel hole is closed

Posted Aug 20, 2010 1:30 UTC (Fri) by drag (guest, #31333) [Link]

Well as long as your using decent open source video drivers then your X Server can run as just a regular application _right_now_, rather then some monster that needs to fiddle with bits on your PCI bus like is traditionally needed.

It's certainly and absolutely possible.

But it probably breaks most closed source drivers so development is going to continue to be painfully slow.

There are probably a lots of problems with it, like was mentioned above with input devices, but it's absolutely possible that at some time we can have a non-root-privileged X. But people do have it working in a more-or-less fashion.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds