I was able to run xorg as non-root, and without giving it too much privileges using posix capabilities, however without opengl. With open-source driver and KMS even opengl should work: chmod -s /usr/bin/Xorg setcap cap_sys_rawio=ep /usr/bin/Xorg mknod -m660 /dev/nvidia0 c 195 0 mknod -m660 /dev/nvidiactl c 195 255 chgrp video /dev/nvidia{0,ctl} /dev/tty{0,2} /dev/input/event? chmod 660 /dev/tty{0,2} /dev/input/event? What's your opinion? Reproducible: Always
*** Bug 447770 has been marked as a duplicate of this bug. ***
Patch from attachment 332690 [details, diff] would be ok with me.
(In reply to comment #2) if no one complains, i'll go ahead and commit that in a bit
I would very much like to see this useflag going in. I was still wondering, what was still forcing the need for suid after KMS is now rather widespread. This useflag would also be useful for x11-wm/xpra, as seen in Bug 440606. One nit about the proposed patch: You changed the comment "--enable-install-setuid needed because sparcs default off" about this always enabled configure option to one about a useflag. I think that comment in now wrong, even if I agree with defaulting to +suid to not change the current behavior. It seems that the original comment meant that the xorg configure was defaulting to not set the suid bit on sparc. But now this default from the configure will never be relevant, because the ebuild will always enable/diable this feature on the base of the useflag. And there is nothing in the gentoo tree (that I can find) that would give sparc a different default then everyone else. So I would suggest to just drop the comment instead of moving it.
should be all set now in the tree; thanks for the report! Commit message: Add USE=suid support by John Sheu from ChromiumOS http://sources.gentoo.org/x11-base/xorg-server/xorg-server-1.13.0-r1.ebuild?r1=1.11&r2=1.12
But now even with kms USE="-suid" does not work without additional commands from "comment 0". What about adding some ewarn or einfo to ebuild? Also why not run 'setcap cap_sys_rawio=ep /usr/bin/Xorg' in ebuild? And what about fixing /dev/ permissions?
(In reply to comment #6) > Also why not run 'setcap cap_sys_rawio=ep /usr/bin/Xorg' in ebuild? This requires ext4 filesystem with CONFIG_EXT4_FS_SECURITY enabled (or SELinux I guess). By the way, does the proposed approach work *only* with KMS Xorg drivers?
"WorksForMe" as-is on two systems. Both have KMS, keyboard+mouse work fine, 3D acceleration still working. One is using radeon+r600g, the other intels driver. cap_sys_rawio and the other commands might only be needed for the nvidia blob. I think, the binary drivers also can't do KMS, so I would expect more trouble with these.
(In reply to comment #8) > "WorksForMe" as-is on two systems. Both have KMS, keyboard+mouse work fine, > 3D acceleration still working. One is using radeon+r600g, the other intels > driver. Check whether X is started as root on your system. When starting with "startx", you would at least need to give your user access to relevant /dev/tty* (vt where X starts), /dev/input/event*, and /var/log/. cap_sys_rawio=ep seems to be indeed required for non-KMS drivers, and ability to run them is still not guaranteed. E.g., VESA needs access to /dev/mem (video BIOS). I succeeded to run fbdev after giving the user access to /dev/fb0 (not needed on most setups I guess, if user is in group "video").
(In reply to comment #9) Yes, it is still running as root. Sorry, I was thinking, that X was suid because this was needed for xdm/kdm/... and not only for users starting X directly. But the manager themselfs and the X server that gets started from them run as root. With and without suid. OK, so disabling this flag did not get me a rootless X setup, but at least for me it is still a good change as I now do not need any work-arounds for xpra.
Actually with nvidia blob opengl works with xorg run as user even without cap_sys_rawio at least with latest driver and gts450.
Also opengl works with non-root xorg with nouveau. On the other hand new xorg modesetting ddx driver doesn't work without root.