Retrying revoke()

Posted Apr 13, 2013 19:32 UTC (Sat) by guillemj (subscriber, #49706)
In reply to: Retrying revoke() by walters
Parent article: Retrying revoke()

> That "works" because Xorg is setuid root on your system, so it's actually running as root.

If that's a Debian-based distribution, then the X binary is just a pretty small setuid wrapper that checks if the user can invoke the real non-setuid Xorg binary based off some policies from a wrapper-specific configuration file.

<http://anonscm.debian.org/gitweb/?p=pkg-xorg/debian/xorg.git;...>

> (Note: this is a huge attack surface, and at least in e.g. gnome-ostree I simply don't make Xorg setuid, and don't ship startx; you have to log in via GDM)

Doesn't GDM also run as root, and consequently also the executed Xorg process?

Retrying revoke()

Posted Apr 13, 2013 19:35 UTC (Sat) by apoelstra (subscriber, #75205) [Link] (1 responses)

> If that's a Debian-based distribution, then the X binary is just a pretty small setuid wrapper that checks if the user can invoke the real non-setuid Xorg binary based off some policies from a wrapper-specific configuration file.

I'm running Fedora -- if I remove the setuid bit, X won't start because it lacks permission to hijack a tty. (Maybe I can fix this, but I don't know how. There are so many special groups on modern desktops..)

Retrying revoke()

Posted Apr 14, 2013 12:36 UTC (Sun) by mathstuf (subscriber, #69389) [Link]

I'm assuming you're using startx for this? If that's the case, I had filed a bug about programs in the X session being denied PolicyKit since the TTY didn't match the login TTY. You can pass "vt02" to launch on a separate TTY, but I think you still need suid to do that.

On a related note, that's the reason why a systemd --user session doesn't work right now: I get denied taking over the TTY, but I can't use a different TTY because PolicyKit denies nice things like suspend and shutdown.

Retrying revoke()

Posted Apr 15, 2013 16:31 UTC (Mon) by walters (subscriber, #7396) [Link] (1 responses)

No, it's based on OpenEmbedded.

You are also conflating the setuid bit on Xorg with running as root - these are two independent things.

Retrying revoke()

Posted Apr 21, 2013 19:07 UTC (Sun) by guillemj (subscriber, #49706) [Link]

> No, it's based on OpenEmbedded.

I was referring to apoelstra's or nix's systems but anyway, nice to know. :)

> You are also conflating the setuid bit on Xorg with running as root - these are two independent things.

Not really. You mentioned that Xorg is running as root because it's setuid root, and that this was a "huge attack surface", without specifying which part. So while I agree making the full-blown Xorg setuid root is an attack vector, to me it's just tiny (because it's easy to avoid with the Debian wrapper for example) in comparison to running the X server as root, which I assume is still the case with something like GDM. The whole point of this subthread was the possibility of being able to finally run the X server as non-root, which would get rid of the actual (IMO) huge attack surface.