| View previous topic :: View next topic |
| Author |
Message |
Anon-E-moose
Watchman
Joined: 23 May 2008
Posts: 6097
Location: Dallas area
|
 Posted: Mon Aug 03, 2020 8:39 pm Post subject: |
 |
|
| kajzer wrote: | | Anon-E-moose wrote: | | Edit to add: Does this allow switching back to the vt??? |
You still have to start X with "startx -- vt1"
tty0 gives permission denied
I was able to do Ctrl-Alt-F2 , Ctrl-Alt-F1 brought back the desktop. |
If you chown /dev/tty7 to your user does just "startx" work?
_________________
PRIME x570-pro, 3700x, 6.1 zen kernel
gcc 13, profile 17.0 (custom bare multilib), openrc, wayland |
|
| Back to top |
|
 |
halcon
l33t
Joined: 15 Dec 2019
Posts: 629
|
| Posted: Mon Aug 03, 2020 8:59 pm Post subject: |
|
|
| kajzer wrote: | | I guess further discussion about this (drm_util and driver patches) is pointless now, in Wiki I guess it should be mentioned that starting with kernel 5.8.0 no steps are needed. |
Cool! Excellent find, kajzer!  |
|
| Back to top |
|
|
The Main Man
Veteran
Joined: 27 Nov 2014
Posts: 1165
Location: /run/user/1000
|
| Posted: Mon Aug 03, 2020 9:00 pm Post subject: |
|
|
| Anon-E-moose wrote: | | If you chown /dev/tty7 to your user does just "startx" work? |
I will certainly try and let you know, not in the mood to test it right now, by tomorrow at the latest...
But I guess everything else stays the same, it's just drmSetMaster that's changed and now everyone can set it. |
|
| Back to top |
|
|
Anon-E-moose
Watchman
Joined: 23 May 2008
Posts: 6097
Location: Dallas area
|
| Posted: Mon Aug 03, 2020 9:12 pm Post subject: |
|
|
| kajzer wrote: | | Anon-E-moose wrote: | | If you chown /dev/tty7 to your user does just "startx" work? |
I will certainly try and let you know, not in the mood to test it right now, by tomorrow at the latest...
But I guess everything else stays the same, it's just drmSetMaster that's changed and now everyone can set it. |
I was tempted to change DRM_ROOT_ONLY to 0 on my kernel and see what it did, now I know.
But with this, it makes it easy to run non-root X, without suid/suid-wrapper/*logind/pam for those of us want to do that.
_________________
PRIME x570-pro, 3700x, 6.1 zen kernel
gcc 13, profile 17.0 (custom bare multilib), openrc, wayland |
|
| Back to top |
|
|
The Main Man
Veteran
Joined: 27 Nov 2014
Posts: 1165
Location: /run/user/1000
|
| Posted: Mon Aug 03, 2020 9:24 pm Post subject: |
|
|
| Anon-E-moose wrote: | I was tempted to change DRM_ROOT_ONLY to 0 on my kernel and see what it did, now I know.
But with this, it makes it easy to run non-root X, without suid/suid-wrapper/*logind/pam for those of us want to do that. |
I was thinking about it for days now and finally today I've decided to do it, I mean why not, it's an easy change and rollback if it fails or something.
I went for "AUTH", thinking that's for authenticated users, I'm not sure what "0" means, probably "anyone", no permissions needed.
I wasn't sure about what can happen if master could be set by non-root users, that's why I asked about it.
I guess nothing special happens and I'm glad that kernel devs finally made that change.
Basically that's what the drm_master_util and the driver patches were for.
One less pain to deal with now  |
|
| Back to top |
|
|
Anon-E-moose
Watchman
Joined: 23 May 2008
Posts: 6097
Location: Dallas area
|
| Posted: Mon Aug 03, 2020 9:28 pm Post subject: |
|
|
I have my user in video, input and tty groups, and I have a small udev rule to change perms on /dev/tty[78] (I might want a second X session sometime)
and startx without parameters, starts on vt7 or 8 if second server.
| Code: | $ cat /etc/udev/rules.d/75-tty-don.rules
SUBSYSTEM=="tty", KERNEL=="tty[7-8]", GROUP="tty", MODE="0660" |
_________________
PRIME x570-pro, 3700x, 6.1 zen kernel
gcc 13, profile 17.0 (custom bare multilib), openrc, wayland |
|
| Back to top |
|
|
The Main Man
Veteran
Joined: 27 Nov 2014
Posts: 1165
Location: /run/user/1000
|
| Posted: Mon Aug 03, 2020 9:52 pm Post subject: |
|
|
| Anon-E-moose wrote: | I have my user in video, input and tty groups, and I have a small udev rule to change perms on /dev/tty[78] (I might want a second X session sometime)
and startx without parameters, starts on vt7 or 8 if second server.
| Code: | $ cat /etc/udev/rules.d/75-tty-don.rules
SUBSYSTEM=="tty", KERNEL=="tty[7-8]", GROUP="tty", MODE="0660" |
|
That's cool , I might do something similar.
Way I do it is with alias startx="startx -- vt1"
btw funny story.. I forgot to mention it, I wouldn't even know about this change in 5.8 but coincidentally I was dealing with the same thing with 5.7, then I saw a kernel update and decided to make a patch and test it out with this new version, of course it failed and I was like ok it's probably the position thing, but when I saw there's "0" instead of ROOT_ONLY I was surprised, pleasantly  |
|
| Back to top |
|
|
The Main Man
Veteran
Joined: 27 Nov 2014
Posts: 1165
Location: /run/user/1000
|
| Posted: Mon Aug 03, 2020 11:43 pm Post subject: |
|
|
| Anon-E-moose wrote: | | If you chown /dev/tty7 to your user does just "startx" work? |
It didn't work.
However, I tried your udev rule and that worked.
I also added myself in tty group because I wasn't a member in that one. |
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21605
|
| Posted: Tue Aug 04, 2020 2:07 am Post subject: |
|
|
| Adding your user to the tty group has the side effect that you can now write to any user's pseudo-terminal (if they have not run mesg n), and unlike write/wall, there is no forced header/footer. I do not know of a way to exploit this directly, but it could definitely enable mischief in a multi-user system. |
|
| Back to top |
|
|
The Main Man
Veteran
Joined: 27 Nov 2014
Posts: 1165
Location: /run/user/1000
|
| Posted: Tue Aug 04, 2020 7:49 am Post subject: |
|
|
I guess, just wanted to try that if I need it in the future.
I like simple solutions , "startx --vt1" seems simple enough.
The only time I would probably need to switch VT's is if desktop crashed and it's frozen, I would then issue a reboot command on another VT, something like that.
And that works, without adding a user to tty group and having additional udev rules. |
|
| Back to top |
|
|
Anon-E-moose
Watchman
Joined: 23 May 2008
Posts: 6097
Location: Dallas area
|
| Posted: Tue Aug 04, 2020 9:56 am Post subject: |
|
|
| Hu wrote: | | Adding your user to the tty group has the side effect that you can now write to any user's pseudo-terminal (if they have not run mesg n), and unlike write/wall, there is no forced header/footer. I do not know of a way to exploit this directly, but it could definitely enable mischief in a multi-user system. |
Which is worse, me being in tty, video and input groups or running X the old fashioned way ie as root all the time?
If one wants a perfectly secure system, turn it off, unplug it from the wall and put the computer in a bank vault. 
Not to say you're wrong because you're not, anytime a change is made like this, then there's always potential for mischief, but I weigh all factors when deciding to do something like this. And in the case of single user systems, no problem, in the case of home machine with family members as users, still no problem. Would I do it if it was a companies server and I was working on it, no, but business has different metrics from home use. If someone can get to my home machine to abuse the tty group, then I got a lot bigger problems than the fact that someone can do something with the tty group.
I also agree with kajzer that it's not that difficult to use startx -- vt? I have an old alias set up, but since I slightly modified the startx script anyway, I just call it directly and leave off the vt? arg. Yeah, I know, laziness on my part.
_________________
PRIME x570-pro, 3700x, 6.1 zen kernel
gcc 13, profile 17.0 (custom bare multilib), openrc, wayland |
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21605
|
| Posted: Wed Aug 05, 2020 1:26 am Post subject: |
|
|
| Anon-E-moose wrote: | | Which is worse, me being in tty, video and input groups or running X the old fashioned way ie as root all the time? |
video is commonly needed for access to OpenGL. tty has the drawback I mentioned above. input may allow snooping system input devices. Although X11 is vulnerable to that anyway, the X11 input weakness applies only to clients which successfully connect to the X11 server. A user in the input group could, in theory, log in remotely and snoop the X11 session of an unrelated user despite not being able to connect X11 clients to the target's session.
Running X as root is in theory bad, but in practice has had surprisingly few reported serious vulnerablities considering the age of the code base. I am not well-informed on this, but I would expect that any setup where privileged operations are isolated enough that the elogind approach works would also be isolated enough that a decently secure setup could be had with the following:- Install Xorg as suid.
- On startup, Xorg immediately creates a bidirectional anonymous local domain socket, then forks a child process.
- The parent drops all privileges and switches to the uid of the caller. The child remains root indefinitely.
- When the parent needs a privileged DRM operation, it delegates that to the root-privileged child.
- The communication protocol between parent and child is kept extremely simple, such that it can be fully audited quickly by anyone knowledgeable about C and Linux socket programming.
I expect that the reason this was not done years ago is that prior to the Direct Rendering Manager / Kernel Mode Setting work, the privileged operations were sufficiently scattered that the design I propose would be impractical. I propose it now since the existence of the drm_master_util hack seems to suggest that all the hard work of isolating/centralizing the privileged operations has already been done upstream. |
|
| Back to top |
|
|
Anon-E-moose
Watchman
Joined: 23 May 2008
Posts: 6097
Location: Dallas area
|
| Posted: Wed Aug 05, 2020 10:15 am Post subject: |
|
|
Even better with the kernel 5.8 change, they removed the "ROOT_ONLY" key on the drm set/drop call, which was always available to change, the lock of root only was, um, just a tad too aggressive, especially given the fact that so many other calls to the drm area didn't have that constraint. Anyway with the change then drm_util_master is not needed, any person can use the drm set/drop master calls. As far as older versions, it would be easy enough to change that flag in the source and then recompile the kernel (2 lines within drm_ioctl.c need changing). The nice thing about this way, no need for patches for x11-drivers (modesetting and others) as the patches were there to bypass the need for "root" for those calls, just the simple kernel changes.
| Code: | /**
* @DRM_ROOT_ONLY:
*
* Anything that could potentially wreak a master file descriptor needs
* to have this flag set. Current that's only for the SETMASTER and
* DROPMASTER ioctl, which e.g. logind can call to force a non-behaving
* master (display compositor) into compliance.
*
* This is equivalent to callers with the SYSADMIN capability.
*/ |
Which is nice, that sysadmin ability would work instead of root ... except that in the code they block using CAP_SYS_ADMIN alltogether.
The only thing I don't know is if this change from ROOT_ONLY is permanent (should be IMO) ... and will be on my home system, makes non-root clean and easy to do.
Edit to add:
| Hu wrote: | | Running X as root is in theory bad, but in practice has had surprisingly few reported serious vulnerablities considering the age of the code base. I am not well-informed on this, but I would expect that any setup where privileged operations are isolated enough that the elogind approach works would also be isolated enough that a decently secure setup could be had with the following |
Your description below the quoted material, is pretty much how *logind works, it stays active and the "fd" that is needed on calls to drm set/drop master is kept until it's dropped, then it acquires another, if needed (there can only be ONE MASTER at a time). Unfortunately their method of talking is dbus instead of just plain old sockets (that every unix system in the world has available)
_________________
PRIME x570-pro, 3700x, 6.1 zen kernel
gcc 13, profile 17.0 (custom bare multilib), openrc, wayland |
|
| Back to top |
|
|
The Main Man
Veteran
Joined: 27 Nov 2014
Posts: 1165
Location: /run/user/1000
|
| Posted: Wed Aug 05, 2020 11:55 am Post subject: |
|
|
Patching the drivers was to halt the operation of loading video driver and start '/usr/bin/drm_master_util' which only has one function, to set drm master as root, for that it needs 'fd' which it gets from the same patched driver.
Once done the driver continues with the loading.
There was no other way in setups w/o *d's
The whole problem was the decision back then that only root can do that, what were the exact reasons to do that and why is it removed now, would be interesting to find somewhere details about it. |
|
| Back to top |
|
|
Anon-E-moose
Watchman
Joined: 23 May 2008
Posts: 6097
Location: Dallas area
|
| Posted: Wed Aug 05, 2020 12:08 pm Post subject: |
|
|
| kajzer wrote: | | The whole problem was the decision back then that only root can do that, what were the exact reasons to do that and why is it removed now, would be interesting to find somewhere details about it. |
A possible misunderstanding of what was really needed for drm to work seamlessly, especially with the push towards non-root X over the last year or so.
There can only ever be ONE master and no one else can claim master UNTIL the current owner drops ownership, it doesn't matter whether root or standard user is the one making the drm call. Now having said that, there was always a potential risk of a race condition, IF there was more than one process trying to be master at the same time (which to me you would have to really go out of your way to force something like that to happen and it wouldn't matter if the process was owned by root or not).
_________________
PRIME x570-pro, 3700x, 6.1 zen kernel
gcc 13, profile 17.0 (custom bare multilib), openrc, wayland |
|
| Back to top |
|
|
Anon-E-moose
Watchman
Joined: 23 May 2008
Posts: 6097
Location: Dallas area
|
| Posted: Wed Aug 05, 2020 12:47 pm Post subject: |
|
|
kajzer, I just applied "0" to the set/drop master define (the same as 5.8.0) to the 5.5.18 kernel I'm running and it works perfectly fine as user, without drm_util_master and associated patches.
**two big thumbs up***
running root-less suid-less wrapper-less *logind-less pam-less AND it all works. 
Edit to add: The way I have the use flags for xorg-server set "-systemd -elogind -suid" which give me a server with just normal permissions.
Time to make a quick Doc/tip thread. 
_________________
PRIME x570-pro, 3700x, 6.1 zen kernel
gcc 13, profile 17.0 (custom bare multilib), openrc, wayland
Last edited by Anon-E-moose on Wed Aug 05, 2020 1:48 pm; edited 1 time in total |
|
| Back to top |
|
|
The Main Man
Veteran
Joined: 27 Nov 2014
Posts: 1165
Location: /run/user/1000
|
| Posted: Wed Aug 05, 2020 1:14 pm Post subject: |
|
|
| Great feeling, isn't it? |
|
| Back to top |
|
|
GDH-gentoo
Veteran
Joined: 20 Jul 2019
Posts: 1528
Location: South America
|
| Posted: Wed Aug 05, 2020 2:28 pm Post subject: |
|
|
| Hu wrote: | I am not well-informed on this, but I would expect that any setup where privileged operations are isolated enough that the elogind approach works would also be isolated enough that a decently secure setup could be had with the following:- Install Xorg as suid.
- On startup, Xorg immediately creates a bidirectional anonymous local domain socket, then forks a child process.
- The parent drops all privileges and switches to the uid of the caller. The child remains root indefinitely.
- When the parent needs a privileged DRM operation, it delegates that to the root-privileged child.
- The communication protocol between parent and child is kept extremely simple, such that it can be fully audited quickly by anyone knowledgeable about C and Linux socket programming.
|
Or, instead of a child process, a process launched by the init system, listening on a socket with a well-known pathname, like dbus-daemon when used for the system-wide message bus (but without the complex protocol), and simple enough to be easily audited. That also avoids making Xorg suid.
This is an interesting development, but note that this only solves the privileged ioctl() aspect, not the privileged open() aspect. The latter still has the problems mentioned by Hu if solved by manipulating group membership. |
|
| Back to top |
|
|
Anon-E-moose
Watchman
Joined: 23 May 2008
Posts: 6097
Location: Dallas area
|
| Posted: Wed Aug 05, 2020 2:55 pm Post subject: |
|
|
Privileged open on devices ie, input, video, tty isn't really a problem on home systems (single or family use) as being in a group or modifying the permissions has no real impact on the system running or security. For business or group working servers, I can see the admin being more restrictive on these things.
So, we have these models each with their own "potential" problems.
suid -- the old fashioned way running as root
wrapper -- just tries to determine whether xorg needs to run as root or not and then starts the server appropriately (theory anyway)
*logind -- gnome way, *logind daemons take care of open on devices as well as set/drop master.
none -- but requires being in a few groups and or permissions set differently (a little more open) on some devices.
---
Running as root is a known risk, so suid is being depreciated
Running with wrapper/*logind just pushes the suid problem further removed from the server (who knows what/if any potential/problems there)
Running with no setting, but changed groups/dev permissions also has potential problems.
Basically pick your poison
Edit to add: A fix for the input group problem is to do what was mentioned in the butchered non root xorg wiki article
| Code: | Security concerns
Running X as a normal user is generally a positive step for security, with the exception of multiuser or, especially, multiseat systems. With the direct access to input devices by the user, it becomes trivially possible to snoop on the input of another active user or run a background job to snoop on the input of a future user of the system. For such systems, it's likely better to choose a solution other than running X as the logged-in user (such as using setuid with a dedicated, unprivileged user or using setgid for the input group).
Alternative method
In this section we will detail "setgid" mentioned above.
The objective is to run X as an unprivileged user without adding a user to the input group. This can prevent user from accidentally or intentionally snooping on the input.
To achieve this goal we make use of setgid so that when a user starts X, the X server will be automatically granted permission to access input devices.
Change the ownership of /usr/bin/Xorg:
root #chown -v :input /usr/bin/Xorg
Change the file permission of /usr/bin/Xorg:
root #chmod -v g+s /usr/bin/Xorg
Now the user is not required to be in the input group to run X server. To remove the user from input group:
root #gpasswd -d user input
But the user still needs to be in the video group:
root #usermod -a -G video user
Now start X as a regular user (see above) and X server should function well. |
_________________
PRIME x570-pro, 3700x, 6.1 zen kernel
gcc 13, profile 17.0 (custom bare multilib), openrc, wayland |
|
| Back to top |
|
|
Anon-E-moose
Watchman
Joined: 23 May 2008
Posts: 6097
Location: Dallas area
|
| Posted: Wed Aug 05, 2020 4:05 pm Post subject: |
|
|
Re. changes in drm stuff, this is from drm_auth.c (routines called by set/drop master), interesting comment.
| Code: | /*
* In the olden days the SET/DROP_MASTER ioctls used to return EACCES when
* CAP_SYS_ADMIN was not set. This was used to prevent rogue applications
* from becoming master and/or failing to release it.
*
* At the same time, the first client (for a given VT) is _always_ master.
* Thus in order for the ioctls to succeed, one had to _explicitly_ run the
* application as root or flip the setuid bit.
*
* If the CAP_SYS_ADMIN was missing, no other client could become master...
* EVER :-( Leading to a) the graphics session dying badly or b) a completely
* locked session.
*
*
* As some point systemd-logind was introduced to orchestrate and delegate
* master as applicable. It does so by opening the fd and passing it to users
* while in itself logind a) does the set/drop master per users' request and
* b) * implicitly drops master on VT switch.
*
* Even though logind looks like the future, there are a few issues:
* - some platforms don't have equivalent (Android, CrOS, some BSDs) so
* root is required _solely_ for SET/DROP MASTER.
* - applications may not be updated to use it,
* - any client which fails to drop master* can DoS the application using
* logind, to a varying degree.
*
* * Either due missing CAP_SYS_ADMIN or simply not calling DROP_MASTER.
*
*
* Here we implement the next best thing:
* - ensure the logind style of fd passing works unchanged, and
* - allow a client to drop/set master, iff it is/was master at a given point
* in time.
*
* Note: DROP_MASTER cannot be free for all, as an arbitrator user could:
* - DoS/crash the arbitrator - details would be implementation specific
* - open the node, become master implicitly and cause issues
*
* As a result this fixes the following when using root-less build w/o logind
* - startx
* - weston
* - various compositors based on wlroots
*/ |
_________________
PRIME x570-pro, 3700x, 6.1 zen kernel
gcc 13, profile 17.0 (custom bare multilib), openrc, wayland |
|
| Back to top |
|
|
The Main Man
Veteran
Joined: 27 Nov 2014
Posts: 1165
Location: /run/user/1000
|
| Posted: Wed Aug 05, 2020 9:17 pm Post subject: |
|
|
Yeah, I found the actual commit
Anon-E-moose, although just changing ROOT_ONLY to 0 works, few more things were also added, keep that in mind. |
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21605
|
| Posted: Thu Aug 06, 2020 1:53 am Post subject: |
|
|
| GDH-gentoo wrote: | | Or, instead of a child process, a process launched by the init system, listening on a socket with a well-known pathname, like dbus-daemon when used for the system-wide message bus (but without the complex protocol), and simple enough to be easily audited. That also avoids making Xorg suid. |
That could be done, but then the process must always be available whether it is used or not, and if it terminates, no one can get a working graphical session. Also, it would be a popular target for adding "just one more step-up helper," so its maintainer would need to be very firm on not allowing feature creep. Putting the required functionality into the program that will be using it avoids those problems, and ensures that the helper is not used by arbitrary unrelated programs. With the model I proposed, the helper is privileged because it was spawned by the setuid Xorg, and on one else can get a descriptor to talk to it, so it can have a moderate degree of trust that it will not be asked to provide the DRM-enhanced descriptor to unauthorized processes. With the model you propose, any process could talk to it, so now it needs an access control mechanism. |
|
| Back to top |
|
|
Anon-E-moose
Watchman
Joined: 23 May 2008
Posts: 6097
Location: Dallas area
|
| Posted: Thu Aug 06, 2020 9:13 am Post subject: |
|
|
Hu, I wonder if the suid-wrapper could be enhanced to do what you envision?
It's not a very big program, starts up, makes a few decisions and then spawn the real Xorg.
| Code: | | -rw-r--r-- 1000/1000 8459 2020-03-29 15:21 xorg-server-1.20.8/hw/xfree86/xorg-wrapper.c |
Edit to add: Also forgot about acl's, setfacl/getfacl instead of putting users in groups.
_________________
PRIME x570-pro, 3700x, 6.1 zen kernel
gcc 13, profile 17.0 (custom bare multilib), openrc, wayland
Last edited by Anon-E-moose on Thu Aug 06, 2020 1:40 pm; edited 1 time in total |
|
| Back to top |
|
|
Ant P.
Watchman
Joined: 18 Apr 2009
Posts: 6920
|
| Posted: Thu Aug 06, 2020 10:50 am Post subject: |
|
|
| Fork-and-drop-root security is something X should've learned to do when it was still called Xfree86, IMO. |
|
| Back to top |
|
|
Anon-E-moose
Watchman
Joined: 23 May 2008
Posts: 6097
Location: Dallas area
|
| Posted: Thu Aug 06, 2020 3:26 pm Post subject: |
|
|
| kajzer wrote: | Yeah, I found the actual commit
Anon-E-moose, although just changing ROOT_ONLY to 0 works, few more things were also added, keep that in mind. |
Swapped to 5.8.0 on the desktop this morning, I'll hold off on the laptop for a while, as there were less changes for that platform.
Overall this version seems a touch snappier than 5.5.* series, though not sure if it's the ck stuff (zen kernel) or the kernel or maybe both.
_________________
PRIME x570-pro, 3700x, 6.1 zen kernel
gcc 13, profile 17.0 (custom bare multilib), openrc, wayland |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Desktop Environments
