Since xorg-server 1.16 it is possible to install the Xorg binary without suid and just have a wrapper script with suid rights which drops these rights before starting x. This wrapper is enabled with the --enable-suid-wrapper configure flag. Maybe --install-setuid shouldn't get passed to configure when enabling the wrapper. [1] http://lists.x.org/archives/xorg-devel/2014-March/040874.html
I currently use an ebuild like the original 1.17.2 but patched with: --- /usr/portage/x11-base/xorg-server/xorg-server-1.17.2.ebuild 2015-07-10 20:24:36.000000000 +0200 +++ /data/portage/x11-base/xorg-server/xorg-server-1.17.2.ebuild 2015-08-06 13:25:46.549338326 +0200 @@ -13,7 +13,7 @@ KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux" IUSE_SERVERS="dmx kdrive xephyr xnest xorg xvfb" -IUSE="${IUSE_SERVERS} glamor ipv6 minimal nptl selinux +suid systemd tslib +udev unwind wayland" +IUSE="${IUSE_SERVERS} glamor ipv6 minimal nptl selinux suid +suid-wrapper systemd tslib +udev unwind wayland" CDEPEND=">=app-eselect/eselect-opengl-1.3.0 dev-libs/openssl @@ -168,6 +168,7 @@ $(use_enable kdrive kdrive-mouse) $(use_enable kdrive kdrive-evdev) $(use_enable suid install-setuid) + $(use_enable suid-wrapper) $(use_enable tslib) $(use_enable unwind libunwind) $(use_enable wayland xwayland)
*** Bug 424984 has been marked as a duplicate of this bug. ***
Pushed sarnex's patch as 1.19.5-r1. commit 07d1aac432064957ea5b8e62b911811ae32bd3be Author: Nick Sarnie <commendsarnex@gmail.com> Date: Sat Sep 23 17:51:24 2017 -0400 x11-base/xorg-server: Add support for suid-wrapper, fix bug #556834