How do you harden Xorg if you do so?

[coalms]

I have seen useflags for xorg-server being notably xcsecurity and suid, I have no idea what xcsecurity so it is disabled is and I am not sure about suid viability either, you would argue some programs are safer with a sticky bit but others are not in which case I haven't enabled it

no idea if any hardening is possible on xorg.conf other then modesetting drivers

-extension is something I have used as match as I can, since less is always more in securing except +extension SELINUX ofc
-nolisten as far as I know works only with tcp, every other protocol at least in /etc/protocols is probably not compiled in xorg
-pn and -nopn as far as I understand is for "error handling"
-query, -broadcast, -cookie is a probability , sending /dev/random to it probably so no one can guess the xdcmp pass, about that xdmcp, I do not know if this is always on or opt in feature and I do not know how to "disable" it for sure. thoughts?

[gorg86]

Maybe OT, but I noticed this here years ago https://forums.gentoo.org/viewtopic-t-1071044-highlight-.html
I disabled it.

[coalms]

[gorg86]

OT = off topic, because your question is network related.

[coalms]

[spare]

https://github.com/jjiolo/gentoo < - backup of a load of build scripts...
config/etc/self/b.init/system.dev
config/usr/bin/startx
config/etc/xinitrc
config/etc/self/c.server/x.<user>
config/etc/self/c.server/x.<user>
are current best effort to priv drop Xorg without systemd.

tl;dr
chown -R root:desktop /dev/input /dev/dri /dev/tty7
priv drops xorg-server to uid desktop
holds it open with exec sleep inifinite in /etc/xinitrc
then starts dwm on the priv dropped xorg server as the running user
Xephyr scripts do exactly the same thing to isolate uid:gid contexts

been running it for a while now seems to actually work ?
fairly sure if you overflow the keyboard input queue
then move the mouse to another Xephyr window
it injects keystrokes into that uid: context : /

[NeddySeagoon]

coalms,

You need to define your threats at the outset, so you know what you want to harden against.
e.g. Full disk encryption on a physically secure system is probably wasted.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

[Goverp]

Is Xorg the right question? The world seems to think Wayland is the answer to everything.
_________________
Greybeard

[spare]

targetted attacks you want to look like everyone else if they burn an o day everyone dies
watering hole attacks you want to be as special a snow flake as possible
only write malware to target the largest % of users with the lowest common denominator to increase return
imo 3d libraries arent less complicated to get right than 2d