Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Any way of starting X remotely in the non root xorg era?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Desktop Environments
View previous topic :: View next topic  
Author Message
transpetaflops
Tux's lil' helper
Tux's lil' helper


Joined: 16 May 2005
Posts: 145

PostPosted: Thu Sep 17, 2020 9:53 pm    Post subject: Any way of starting X remotely in the non root xorg era? Reply with quote

Before the removal of suid on xorg-server I could always fire up X on a remote machine through ssh by typing:
Code:
$ startx  -- &

Then I could start a vnc-server and access the remote machines's GUI.

Now, in the non root xorg era, elogind correctly identifies me as a remote user and refuses to give me the needed access rights to the remote machine's video card. The drawback is that I can no longer use the trick above. Is there anyway around this other than to add suid to xorg-server again?

Logging in locally the seat info looks like this and startx works normally:
Code:
$ loginctl list
SESSION   UID USER SEAT  TTY
      1 10000 pp   seat0 tty1

1 sessions listed.


Logging in through ssh I'm missing the seat:
Code:
$ loginctl list
SESSION   UID USER SEAT TTY 
      1 10000 pp        pts/0

1 sessions listed.


And startx of course errors out with lack of permissions on /dev/tty0:
Code:
$ startx -- &
[1] 5560
.
<snip>
.
Fatal server error:
(EE) parse_vt_settings: Cannot open /dev/tty0 (Permission denied)


Changing the owner on /dev/tty0 moves the error to "virtual console 7" and changing owner on /dev/tty7 results in "no screens found" so I seem to be stuck on making elogind believe I'm actually logging in locally for this to work. Any hints on how to accomplish this would be greatly appreciated.
Back to top
View user's profile Send private message
etnull
Guru
Guru


Joined: 26 Mar 2019
Posts: 435
Location: Russia

PostPosted: Thu Sep 17, 2020 10:00 pm    Post subject: Reply with quote

Maybe "xinit -- vt1 &" would help? Try also "export DISPLAY=:0" before xinit.
Back to top
View user's profile Send private message
Tony0945
Advocate
Advocate


Joined: 25 Jul 2006
Posts: 4135
Location: Illinois, USA

PostPosted: Thu Sep 17, 2020 10:10 pm    Post subject: Reply with quote

Remove elogind and restore suid.

I run remote X all the time with "X :0 -query <machine name>"
Back to top
View user's profile Send private message
transpetaflops
Tux's lil' helper
Tux's lil' helper


Joined: 16 May 2005
Posts: 145

PostPosted: Thu Sep 17, 2020 10:11 pm    Post subject: Reply with quote

etnull wrote:
Maybe "xinit -- vt1 &" would help? Try also "export DISPLAY=:0" before xinit.

Unfortunately I still get permission denied on the virtual console I choose, regardless of which one I try with that syntax. I suspect some trickery is needed with loginctl but the man page isn't clear on this subject to me...
Back to top
View user's profile Send private message
transpetaflops
Tux's lil' helper
Tux's lil' helper


Joined: 16 May 2005
Posts: 145

PostPosted: Thu Sep 17, 2020 10:12 pm    Post subject: Reply with quote

Tony0945 wrote:
Remove elogind and restore suid.

I run remote X all the time with "X :0 -query <machine name>"


Yes, this is the last resort I have to fall back to unless there's no other way with elogind. I was hoping to avoid it though.
Back to top
View user's profile Send private message
figueroa
l33t
l33t


Joined: 14 Aug 2005
Posts: 767
Location: Lower right-hand corner USA

PostPosted: Fri Sep 18, 2020 2:15 am    Post subject: Reply with quote

Maybe this thread contains your key: https://forums.gentoo.org/viewtopic-t-1118824-highlight-ssh+elogind.html
_________________
Andy Figueroa
andy@andyfigueroa.net Working with Unix since 1983.
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 6719

PostPosted: Fri Sep 18, 2020 12:36 pm    Post subject: Reply with quote

Does using the hardware video card matter, or is this just for remote VNC? You could try running Xvfb for that instead and it probably wouldn't need elevated privs at all.
Back to top
View user's profile Send private message
dmpogo
Advocate
Advocate


Joined: 02 Sep 2004
Posts: 2836
Location: Canada

PostPosted: Fri Sep 18, 2020 4:07 pm    Post subject: Reply with quote

Ant P. wrote:
Does using the hardware video card matter, or is this just for remote VNC? You could try running Xvfb for that instead and it probably wouldn't need elevated privs at all.


And I was always thinking that running vncserver :NN on the remote machine (where you just use some high number NN for your screen), automatically launches Xvfb ? And no remote video hardware is needed ?

At least that is how I was always running VNC, except rare occasions when I needed to see what is on remote desktop screen, but it sounds that here it is not this use case.
Back to top
View user's profile Send private message
transpetaflops
Tux's lil' helper
Tux's lil' helper


Joined: 16 May 2005
Posts: 145

PostPosted: Fri Sep 18, 2020 4:45 pm    Post subject: Reply with quote

Ant P. wrote:
Does using the hardware video card matter, or is this just for remote VNC? You could try running Xvfb for that instead and it probably wouldn't need elevated privs at all.


Thank you. I'd need to look into this option. For now I just worked around the problem by logging in the user automatically and autostart X.
Back to top
View user's profile Send private message
SlashBeast
Developer
Developer


Joined: 23 May 2006
Posts: 2903

PostPosted: Sun Sep 20, 2020 9:57 am    Post subject: Reply with quote

I think there's general misunderstanding of what non-root X with logind provider does, and how it affects special usecases.

The logind provider allow locally seated user, which login on the vt (tty) to be given access over DRM (seems this has been lifted with 5.8 kernel) and access to input devices.

The legacy suid way worked 'without any issue' simply because SUIDed Xorg binary would bypass any permission restriction out there, and since anyone could run it, everything was 'just working'.

So, going from the most secure way to least secure way. Where most secure here means a way that exposes least access.

- Use logind provider to get a seat, then use said seat to start X with all the needed accesses

When trying to start X remotely, the only way to get this done is to enable autologin (for example via /etc/inittab for OpenRC), to get the seat. This can be secured inside .bashrc in a way, that autologin on specified TTY will never drop to interactive shell

- Without using logind provider, and with kernel 5.8, adding user to input group should be enough to run X as user, but this also expose *all* input devices to user

- With suid enabled.
Back to top
View user's profile Send private message
transpetaflops
Tux's lil' helper
Tux's lil' helper


Joined: 16 May 2005
Posts: 145

PostPosted: Sun Sep 20, 2020 12:28 pm    Post subject: Reply with quote

Thank you. I think I have a fairly good understanding of this. I just can't figure out what permissions I'm lacking to start X remotely without suid.

Currently my user is a member of the groups video, audio and tty but using "startx -- &" over ssh results in the following error:

Code:
(EE) xf86OpenConsole: Cannot open virtual console 7 (Permission denied)


All /dev/tty* device nodes belong to the tty group so what device is vt7 connected to?

EDIT:

An strace adds one piece to the puzzle.

Code:
[pid  5900] openat(AT_FDCWD, "/dev/tty7", O_RDWR|O_NONBLOCK) = -1 EACCES (Permission denied)


I notice /dev/tty7 only allows write permissions for group tty, but even after changing that to rwx I still get the same error.
Back to top
View user's profile Send private message
SlashBeast
Developer
Developer


Joined: 23 May 2006
Posts: 2903

PostPosted: Sun Sep 20, 2020 5:25 pm    Post subject: Reply with quote

The ownership of /dev/ttyN is assigned upon login on said tty, so without suid, and without getting logged in via tty/agetty, you will need to chown the tty device to your user before you can proceed.

I would recommend hacking around /etc/inittab, to autologin your user on TTY7, and then adding something into .bashrc like 'if [ "${TTY}" == "/dev/tty7" ]; then exec sleep infiniy; fi'. Then you would be able to run X on vt7 without any heavy lifting with adding yourself to groups and changing permissions manually. This, or going back to suid root, which would no longer care about ownership and permissions.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Desktop Environments All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum