| View previous topic :: View next topic |
| Author |
Message |
Ant P.
Watchman
Joined: 18 Apr 2009
Posts: 6920
|
 Posted: Wed Oct 31, 2018 2:32 am Post subject: Why is our xorg-server setuid, again? |
 |
|
| Looking at this GLSA and realising it's the first one in a long time I haven't already been on top of... we used to have a removable USE=suid precisely so unnecessary security risks could be avoided. Who thought it was a good idea to remove that choice? |
|
| Back to top |
|
 |
Marcih
Apprentice
Joined: 19 Feb 2018
Posts: 213
|
| Posted: Wed Oct 31, 2018 11:36 am Post subject: |
|
|
I'm running x11-base/xorg-server-1.19.5-r2 with USE="-suid", my X server with regular user privilidges as per the Gentoo wiki guide without any problems.
As far as I understand, the GLSA mentioned in the OP only affects installations with the suid wrapper, right? Am I supposed to understand that the "suid" flag has been removed again in subsequent versions? If so, thanks for the heads-up Ant P., will be masking new Xorg server versions and I'm 100% with you.
What exactly is the reason for removing the option? Does running Xorg version 1.20.* as user break something? Would love to hear the maintainers chime in.
_________________
| Bones McCracker wrote: | | It wouldn't be so bad, if it didn't suck. |
| NeddySeagoon wrote: | | The problem with leaving is that you can only do it once and it reduces your influence. |
|
|
| Back to top |
|
|
Anon-E-moose
Watchman
Joined: 23 May 2008
Posts: 6098
Location: Dallas area
|
| Posted: Wed Oct 31, 2018 11:52 am Post subject: |
|
|
| Code: | $ grep suid xor*
xorg-server-1.19.5-r2.ebuild:IUSE="${IUSE_SERVERS} debug +glamor ipv6 libressl minimal selinux +suid systemd tslib +udev unwind xcsecurity"
xorg-server-1.19.5-r2.ebuild: $(use_enable suid install-setuid)
xorg-server-1.20.1.ebuild: $(use_enable systemd suid-wrapper)
xorg-server-1.20.2.ebuild: $(use_enable systemd suid-wrapper)
xorg-server-1.20.3.ebuild: $(use_enable systemd suid-wrapper)
xorg-server-9999.ebuild: $(use_enable systemd suid-wrapper) |
Odd
edit to add: from the 1.20 tarball, configure --help
| Code: | --enable-suid-wrapper Build suid-root wrapper for legacy driver support on
rootless xserver systems (default: no)
...
--enable-install-setuid Install Xorg server as owned by root with setuid bit
(default: auto) |
_________________
PRIME x570-pro, 3700x, 6.1 zen kernel
gcc 13, profile 17.0 (custom bare multilib), openrc, wayland |
|
| Back to top |
|
|
Zucca
Moderator
Joined: 14 Jun 2007
Posts: 3343
Location: Rasi, Finland
|
| Posted: Wed Oct 31, 2018 12:20 pm Post subject: |
|
|
Do I need to expect bumping into any problems with -suid on xorg-server?
I took a look and I have +suid, which seems to be the default on the profile I use.
_________________
..: Zucca :..
Gentoo IRC channels reside on Libera.Chat.
--
| Quote: | | I am NaN! I am a man! |
|
|
| Back to top |
|
|
Anon-E-moose
Watchman
Joined: 23 May 2008
Posts: 6098
Location: Dallas area
|
| Posted: Wed Oct 31, 2018 12:52 pm Post subject: |
|
|
From the 1.20.3 ebuild
| Code: | $(use_enable systemd suid-wrapper)
$(use_enable !systemd install-setuid) |
So basically without making changes to the ebuild
If "systemd flag" is set, then suid-wrappers is used, which turns off install-setuid (in configure)
if "not systemd flag" then install-setuid is enabled (explicity)
Edit to add: what they should have done is changed the suid flag to suid-wrappers (to make it clearer)
in the configure script install-setuid and suid-wrapper are mutually exclusive.
It shouldn't have been shoved under the systemd flag (which pulls in dbus and systemd) 
_________________
PRIME x570-pro, 3700x, 6.1 zen kernel
gcc 13, profile 17.0 (custom bare multilib), openrc, wayland |
|
| Back to top |
|
|
Naib
Watchman
Joined: 21 May 2004
Posts: 6051
Location: Removed by Neddy
|
| Posted: Wed Oct 31, 2018 1:17 pm Post subject: |
|
|
| Anon-E-moose wrote: | From the 1.20.3 ebuild
| Code: | $(use_enable systemd suid-wrapper)
$(use_enable !systemd install-setuid) |
So basically without making changes to the ebuild
If "systemd flag" is set, then suid-wrappers is used, which turns off install-setuid (in configure)
if "not systemd flag" then install-setuid is enabled (explicity)
Edit to add: what they should have done is changed the suid flag to suid-wrappers (to make it clearer)
in the configure script install-setuid and suid-wrapper are mutually exclusive.
It shouldn't have been shoved under the systemd flag (which pulls in dbus and systemd) |
oh the irony of having a more secure xorg by installing systemd(shame that sort of opens every door and window you have)
_________________
| Quote: | | Removed by Chiitoo |
|
|
| Back to top |
|
|
Anon-E-moose
Watchman
Joined: 23 May 2008
Posts: 6098
Location: Dallas area
|
| Posted: Wed Oct 31, 2018 1:24 pm Post subject: |
|
|
| Naib wrote: | | oh the irony of having a more secure xorg by installing systemd(shame that sort of opens every door and window you have) |
Especially considering https://forums.gentoo.org/viewtopic-t-1088680.html ([ GLSA 201810-10 ] systemd)
_________________
PRIME x570-pro, 3700x, 6.1 zen kernel
gcc 13, profile 17.0 (custom bare multilib), openrc, wayland |
|
| Back to top |
|
|
Ant P.
Watchman
Joined: 18 Apr 2009
Posts: 6920
|
| Posted: Wed Oct 31, 2018 8:43 pm Post subject: |
|
|
They changed it to depend on… systemd? How does that make any damn sense‽
X doesn't need setuid unless you're running startx from the command line as a normal user without /dev access. That's an incredibly specific setup, and the people with it know what they are doing. Let them set USE=suid and let the rest of us with a sane service manager or graphical login not be exposed to high-severity vulns by default, ffs. |
|
| Back to top |
|
|
Anon-E-moose
Watchman
Joined: 23 May 2008
Posts: 6098
Location: Dallas area
|
| Posted: Wed Oct 31, 2018 8:52 pm Post subject: |
|
|
It's still there ... in the configure ... it's just not in the ebuild, copy it to local and make changes, it's not rocket science or file a bug report, if there's not one already
The changes between 1.19.5 and 1.20.3 are just a few as far as suid stuff
| Code: | -IUSE="${IUSE_SERVERS} debug +glamor ipv6 libressl minimal selinux +suid systemd tslib +udev unwind xcsecurity"
+IUSE="${IUSE_SERVERS} debug +glamor ipv6 libressl minimal selinux systemd +udev unwind xcsecurity"
...
- $(use_enable suid install-setuid)
...
+ $(use_enable systemd suid-wrapper)
+ $(use_enable !systemd install-setuid) |
Edit to add: already done https://bugs.gentoo.org/669648 go add your view. 
_________________
PRIME x570-pro, 3700x, 6.1 zen kernel
gcc 13, profile 17.0 (custom bare multilib), openrc, wayland |
|
| Back to top |
|
|
josephg
l33t
Joined: 10 Jan 2016
Posts: 783
Location: usually offline
|
| Posted: Thu Nov 01, 2018 11:29 am Post subject: |
|
|
Looking at that bug, I wonder if the Gentoo maintainer understands Xorg enough. Reminds me of OpenRC roadmap converging towards systemd. Is there a Gentoo push towards systemd?
_________________
"Growth for the sake of growth is the ideology of the cancer cell." Edward Abbey |
|
| Back to top |
|
|
Naib
Watchman
Joined: 21 May 2004
Posts: 6051
Location: Removed by Neddy
|
| Posted: Thu Nov 01, 2018 11:45 am Post subject: |
|
|
| josephg wrote: |
Looking at that bug, I wonder if the Gentoo maintainer understands Xorg enough. Reminds me of OpenRC roadmap converging towards systemd. Is there a Gentoo push towards systemd? |
I wouldn't say there is a Gentoo push to systemd as it is just a framework and there is both advocates and questioners of systemd within Gentoo.
You are probably right the Devs probably do not fully understand xorg BUT I would say xorg Devs don't understand xorg... This CVE is stupid and should not even occur...
_________________
| Quote: | | Removed by Chiitoo |
Last edited by Naib on Thu Nov 01, 2018 2:45 pm; edited 1 time in total |
|
| Back to top |
|
|
Zucca
Moderator
Joined: 14 Jun 2007
Posts: 3343
Location: Rasi, Finland
|
| Posted: Thu Nov 01, 2018 2:42 pm Post subject: |
|
|
| Naib wrote: | | This CVE is stupid and should not even occur... |
++
_________________
..: Zucca :..
Gentoo IRC channels reside on Libera.Chat.
--
| Quote: | | I am NaN! I am a man! |
|
|
| Back to top |
|
|
Anon-E-moose
Watchman
Joined: 23 May 2008
Posts: 6098
Location: Dallas area
|
| Posted: Thu Nov 01, 2018 2:58 pm Post subject: |
|
|
The key to the cve is
| Quote: | | allows unprivileged users with the ability to log in to the system via physical console |
That's the problem, it doesn't matter if X is suid or not.
If I have physical access to the system I can find innumerable ways to gain root access or access to information on the system, whether X is suid or not.
I run X suid, it's just habit, and I don't think anything of it, it's a single user system. If someone can physical access my computer then there's bigger problem than a suid X.
_________________
PRIME x570-pro, 3700x, 6.1 zen kernel
gcc 13, profile 17.0 (custom bare multilib), openrc, wayland |
|
| Back to top |
|
|
Naib
Watchman
Joined: 21 May 2004
Posts: 6051
Location: Removed by Neddy
|
| Posted: Thu Nov 01, 2018 3:08 pm Post subject: |
|
|
| Anon-E-moose wrote: | The key to the cve is
| Quote: | | allows unprivileged users with the ability to log in to the system via physical console |
That's the problem, it doesn't matter if X is suid or not.
If I have physical access to the system I can find innumerable ways to gain root access or access to information on the system, whether X is suid or not.
I run X suid, it's just habit, and I don't think anything of it, it's a single user system. If someone can physical access my computer then there's bigger problem than a suid X. |
exactly, still the solution shouldn't be systemd
_________________
| Quote: | | Removed by Chiitoo |
|
|
| Back to top |
|
|
Ant P.
Watchman
Joined: 18 Apr 2009
Posts: 6920
|
| Posted: Thu Nov 01, 2018 3:28 pm Post subject: |
|
|
| Anon-E-moose wrote: | The key to the cve is
| Quote: | | allows unprivileged users with the ability to log in to the system via physical console |
That's the problem, it doesn't matter if X is suid or not.
If I have physical access to the system I can find innumerable ways to gain root access or access to information on the system, whether X is suid or not.
I run X suid, it's just habit, and I don't think anything of it, it's a single user system. If someone can physical access my computer then there's bigger problem than a suid X. |
You have that completely backwards.
X requires suid to log in via the physical console.
Having a suid binary with unsanitised command line parameters allows any user-level process to trivially pwn your box. They don't need a physical console. |
|
| Back to top |
|
|
Anon-E-moose
Watchman
Joined: 23 May 2008
Posts: 6098
Location: Dallas area
|
| Posted: Thu Nov 01, 2018 3:32 pm Post subject: |
|
|
| Naib wrote: | | still the solution shouldn't be systemd |
Agreed.
Even though the guy, according to the bug link I posted, admitted he was new to it and was working alone, I'm not sure why he chose the systemd flag to put it under.
Since being suid or not has nothing to do with systemd. But much of the noise in that bug thread is confusing it doesn't help matters.
They need 2 flags, put back suid (and it needs to send enabled/disabled, not just enabled, since it's auto in the configure script)
And suid-wrapper (only needs enabled as it's disabled by default)
Then people could set it how they needed.
_________________
PRIME x570-pro, 3700x, 6.1 zen kernel
gcc 13, profile 17.0 (custom bare multilib), openrc, wayland |
|
| Back to top |
|
|
Anon-E-moose
Watchman
Joined: 23 May 2008
Posts: 6098
Location: Dallas area
|
| Posted: Thu Nov 01, 2018 3:44 pm Post subject: |
|
|
| Ant P. wrote: | | Anon-E-moose wrote: | The key to the cve is
| Quote: | | allows unprivileged users with the ability to log in to the system via physical console |
That's the problem, it doesn't matter if X is suid or not.
If I have physical access to the system I can find innumerable ways to gain root access or access to information on the system, whether X is suid or not.
I run X suid, it's just habit, and I don't think anything of it, it's a single user system. If someone can physical access my computer then there's bigger problem than a suid X. |
You have that completely backwards.
X requires suid to log in via the physical console. |
No you don't need X to be suid, you need permission for input and video groups or perhaps the network group/access if not suid.
https://wiki.gentoo.org/wiki/Non_root_Xorg
| Quote: | | Having a suid binary with unsanitised command line parameters allows any user-level process to trivially pwn your box. They don't need a physical console. |
If they can access my internal network then there's bigger problems than a suid X or whichever program.
IMO, everything that people are getting all up in arms and running around screaming "the sky is falling" is predicated on them being paranoid about either access to the physical machine or the network it runs on. Both of which can be controlled.
_________________
PRIME x570-pro, 3700x, 6.1 zen kernel
gcc 13, profile 17.0 (custom bare multilib), openrc, wayland |
|
| Back to top |
|
|
Ant P.
Watchman
Joined: 18 Apr 2009
Posts: 6920
|
| Posted: Thu Nov 01, 2018 3:56 pm Post subject: |
|
|
No need to paraphrase my earlier posts at me, I know how it works.
And you're continuing to miss the point. We *had* a mitigation for a high-level CVE. Someone too lazy to RTFM took that away in favour of coercing users onto systemd. This is a developer attitude problem. |
|
| Back to top |
|
|
asturm
Developer
Joined: 05 Apr 2007
Posts: 8936
|
| Posted: Thu Nov 01, 2018 4:02 pm Post subject: |
|
|
| Ant P. wrote: | | in favour of coercing users onto systemd. |
That's a baseless assumption. |
|
| Back to top |
|
|
Ant P.
Watchman
Joined: 18 Apr 2009
Posts: 6920
|
| Posted: Thu Nov 01, 2018 4:05 pm Post subject: |
|
|
| Save the hot air and posturing for when users are no longer being put at risk. |
|
| Back to top |
|
|
Anon-E-moose
Watchman
Joined: 23 May 2008
Posts: 6098
Location: Dallas area
|
| Posted: Thu Nov 01, 2018 4:07 pm Post subject: |
|
|
No, I don't think I'm missing the point at all.
1. The CVE was based on developer laziness and not at all what I would consider "high level", and the knee-jerk response to "remove the suid flag" was stupid.
2. I pointed out earlier on that it was wrong to stuff what they did under the systemd flag.
3. I make no judgment on whether the ebuild dev was too lazy to RTFM or just overworked (I don't know what else he handles), and judging by his input in the bug I linked he seems to be trying to work with people for the best solution, without extra work (for him) being created in the future due to it.
4. My response about suid X was based on your last statement "X requires suid to log in via the physical console."
Anyway, no arguments from me, y'all have fun.
_________________
PRIME x570-pro, 3700x, 6.1 zen kernel
gcc 13, profile 17.0 (custom bare multilib), openrc, wayland |
|
| Back to top |
|
|
asturm
Developer
Joined: 05 Apr 2007
Posts: 8936
|
| Posted: Thu Nov 01, 2018 4:09 pm Post subject: |
|
|
| Ant P. wrote: | | Save the hot air and posturing |
Speak for yourself. |
|
| Back to top |
|
|
josephg
l33t
Joined: 10 Jan 2016
Posts: 783
Location: usually offline
|
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21630
|
| Posted: Fri Nov 02, 2018 2:13 am Post subject: |
|
|
| Yes, except that setgid can only set one gid, and according to those instructions, you need to guarantee two gids. However, a setuid-root wrapper that changed its groups, then changed effective uid to real id, then exec'd Xorg, should be sufficient. Such a wrapper could be quite small and easy to audit, since it would not need to accept any user configurability. Xorg has a wrapper, but it is not as trivial as I would like, since it goes poking about trying to determine at runtime whether to retain root or drop it. That makes it complex enough that I cannot tell at a glance whether it might have a security problem lurking. I envisioned a wrapper that is hardcoded to work exactly one way. |
|
| Back to top |
|
|
ChrisJumper
Advocate
Joined: 12 Mar 2005
Posts: 2390
Location: Germany
|
| Posted: Fri Nov 02, 2018 9:26 am Post subject: |
|
|
| Marcih wrote: | I'm running x11-base/xorg-server-1.19.5-r2 with USE="-suid", my X server with regular user privilidges as per the Gentoo wiki guide without any problems.
|
Thank you for that hint! Before i try to use wayland on unimportant Desktop Systems, but it did not work so well.. and on Gaming Machines the nvidia drivers did not support it when i try to migrate the last time. |
|
| Back to top |
|
|
|
Gentoo Chat
