Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 419485 - x11-base/xorg-server: add suid useflag
Summary: x11-base/xorg-server: add suid useflag
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal enhancement (vote)
Assignee: Gentoo X packagers
URL:
Whiteboard:
Keywords:
: 447770 (view as bug list)
Depends on:
Blocks:
 
Reported: 2012-06-03 15:20 UTC by nzqr
Modified: 2015-08-04 06:46 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description nzqr 2012-06-03 15:20:29 UTC
I was able to run xorg as non-root, and without giving it too much privileges using posix capabilities, however without opengl. With open-source driver and KMS even opengl should work:

chmod -s    /usr/bin/Xorg
setcap cap_sys_rawio=ep /usr/bin/Xorg
mknod -m660 /dev/nvidia0   c 195 0
mknod -m660 /dev/nvidiactl c 195 255
chgrp video /dev/nvidia{0,ctl} /dev/tty{0,2} /dev/input/event?
chmod 660   /dev/tty{0,2} /dev/input/event?

What's your opinion?

Reproducible: Always
Comment 1 Chí-Thanh Christopher Nguyễn gentoo-dev 2012-12-19 15:33:30 UTC
*** Bug 447770 has been marked as a duplicate of this bug. ***
Comment 2 Chí-Thanh Christopher Nguyễn gentoo-dev 2012-12-19 15:34:00 UTC
Patch from attachment 332690 [details, diff] would be ok with me.
Comment 3 SpanKY gentoo-dev 2012-12-19 18:43:40 UTC
(In reply to comment #2)

if no one complains, i'll go ahead and commit that in a bit
Comment 4 Torsten Kaiser 2012-12-19 19:33:16 UTC
I would very much like to see this useflag going in. I was still wondering, what was still forcing the need for suid after KMS is now rather widespread.

This useflag would also be useful for x11-wm/xpra, as seen in Bug 440606.

One nit about the proposed patch:
You changed the comment "--enable-install-setuid needed because sparcs default off" about this always enabled configure option to one about a useflag.
I think that comment in now wrong, even if I agree with defaulting to +suid to not change the current behavior. It seems that the original comment meant that the xorg configure was defaulting to not set the suid bit on sparc. But now this default from the configure will never be relevant, because the ebuild will always enable/diable this feature on the base of the useflag. And there is nothing in the gentoo tree (that I can find) that would give sparc a different default then everyone else.
So I would suggest to just drop the comment instead of moving it.
Comment 5 SpanKY gentoo-dev 2012-12-20 23:49:04 UTC
should be all set now in the tree; thanks for the report!

Commit message: Add USE=suid support by John Sheu from ChromiumOS
http://sources.gentoo.org/x11-base/xorg-server/xorg-server-1.13.0-r1.ebuild?r1=1.11&r2=1.12
Comment 6 Nikoli 2012-12-21 09:13:09 UTC
But now even with kms USE="-suid" does not work without additional commands from "comment 0".
What about adding some ewarn or einfo to ebuild? Also why not run 'setcap cap_sys_rawio=ep /usr/bin/Xorg' in ebuild? And what about fixing /dev/ permissions?
Comment 7 Maxim Kammerer 2012-12-21 11:49:09 UTC
(In reply to comment #6)
> Also why not run 'setcap cap_sys_rawio=ep /usr/bin/Xorg' in ebuild?

This requires ext4 filesystem with CONFIG_EXT4_FS_SECURITY enabled (or SELinux I guess).

By the way, does the proposed approach work *only* with KMS Xorg drivers?
Comment 8 Torsten Kaiser 2012-12-21 11:54:19 UTC
"WorksForMe" as-is on two systems. Both have KMS, keyboard+mouse work fine, 3D acceleration still working. One is using radeon+r600g, the other intels driver.

cap_sys_rawio and the other commands might only be needed for the nvidia blob. I think, the binary drivers also can't do KMS, so I would expect more trouble with these.
Comment 9 Maxim Kammerer 2012-12-21 13:38:49 UTC
(In reply to comment #8)
> "WorksForMe" as-is on two systems. Both have KMS, keyboard+mouse work fine,
> 3D acceleration still working. One is using radeon+r600g, the other intels
> driver.

Check whether X is started as root on your system. When starting with "startx", you would at least need to give your user access to relevant /dev/tty* (vt where X starts), /dev/input/event*, and /var/log/.

cap_sys_rawio=ep seems to be indeed required for non-KMS drivers, and ability to run them is still not guaranteed. E.g., VESA needs access to /dev/mem (video BIOS). I succeeded to run fbdev after giving the user access to /dev/fb0 (not needed on most setups I guess, if user is in group "video").
Comment 10 Torsten Kaiser 2012-12-21 18:34:09 UTC
(In reply to comment #9)
Yes, it is still running as root.

Sorry, I was thinking, that X was suid because this was needed for xdm/kdm/... and not only for users starting X directly. But the manager themselfs and the X server that gets started from them run as root. With and without suid.

OK, so disabling this flag did not get me a rootless X setup, but at least for me it is still a good change as I now do not need any work-arounds for xpra.
Comment 11 om3i 2014-01-24 21:43:42 UTC
Actually with nvidia blob opengl works with xorg run as user even without cap_sys_rawio at least with latest driver and gts450.
Comment 12 om3i 2015-08-04 06:46:50 UTC
Also opengl works with non-root xorg with nouveau.

On the other hand new xorg modesetting ddx driver doesn't work without root.