Retrying revoke()
Retrying revoke()
Posted Apr 11, 2013 11:23 UTC (Thu) by cavok (subscriber, #33216)In reply to: Retrying revoke() by butlerm
Parent article: Retrying revoke()
Posted Apr 11, 2013 16:06 UTC (Thu)
by nix (subscriber, #2304)
[Link] (9 responses)
Personally I'm hoping this will *finally* let us have a non-root X server :}
Posted Apr 11, 2013 16:20 UTC (Thu)
by apoelstra (subscriber, #75205)
[Link] (8 responses)
Can you elaborate on this? I've been running 'startx' as an unprivileged user for a couple years and haven't noticed anything awful happening.
Posted Apr 11, 2013 16:39 UTC (Thu)
by walters (subscriber, #7396)
[Link] (5 responses)
(Note: this is a huge attack surface, and at least in e.g. gnome-ostree I simply don't make Xorg setuid, and don't ship startx; you have to log in via GDM)
Posted Apr 13, 2013 19:32 UTC (Sat)
by guillemj (subscriber, #49706)
[Link] (4 responses)
If that's a Debian-based distribution, then the X binary is just a pretty small setuid wrapper that checks if the user can invoke the real non-setuid Xorg binary based off some policies from a wrapper-specific configuration file.
<http://anonscm.debian.org/gitweb/?p=pkg-xorg/debian/xorg.git;...>
> (Note: this is a huge attack surface, and at least in e.g. gnome-ostree I simply don't make Xorg setuid, and don't ship startx; you have to log in via GDM)
Doesn't GDM also run as root, and consequently also the executed Xorg process?
Posted Apr 13, 2013 19:35 UTC (Sat)
by apoelstra (subscriber, #75205)
[Link] (1 responses)
I'm running Fedora -- if I remove the setuid bit, X won't start because it lacks permission to hijack a tty. (Maybe I can fix this, but I don't know how. There are so many special groups on modern desktops..)
Posted Apr 14, 2013 12:36 UTC (Sun)
by mathstuf (subscriber, #69389)
[Link]
On a related note, that's the reason why a systemd --user session doesn't work right now: I get denied taking over the TTY, but I can't use a different TTY because PolicyKit denies nice things like suspend and shutdown.
Posted Apr 15, 2013 16:31 UTC (Mon)
by walters (subscriber, #7396)
[Link] (1 responses)
You are also conflating the setuid bit on Xorg with running as root - these are two independent things.
Posted Apr 21, 2013 19:07 UTC (Sun)
by guillemj (subscriber, #49706)
[Link]
I was referring to apoelstra's or nix's systems but anyway, nice to know. :)
> You are also conflating the setuid bit on Xorg with running as root - these are two independent things.
Not really. You mentioned that Xorg is running as root because it's setuid root, and that this was a "huge attack surface", without specifying which part. So while I agree making the full-blown Xorg setuid root is an attack vector, to me it's just tiny (because it's easy to avoid with the Debian wrapper for example) in comparison to running the X server as root, which I assume is still the case with something like GDM. The whole point of this subthread was the possibility of being able to finally run the X server as non-root, which would get rid of the actual (IMO) huge attack surface.
Posted Apr 11, 2013 16:40 UTC (Thu)
by dark (guest, #8483)
[Link] (1 responses)
Posted Apr 13, 2013 9:55 UTC (Sat)
by mlankhorst (subscriber, #52260)
[Link]
I haven't figured out how to close the mmap race there, but for the revoke case it might be important.
Retrying revoke()
Retrying revoke()
> Personally I'm hoping this will *finally* let us have a non-root X server :}
Retrying revoke()
Retrying revoke()
Retrying revoke()
Retrying revoke()
Retrying revoke()
Retrying revoke()
The sad truth:
Retrying revoke()
-rwsr-sr-x 1 root root 14256 Mar 3 2012 /usr/bin/X
Retrying revoke()