Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Why is our xorg-server setuid, again?
View unanswered posts
View posts from last 24 hours

Goto page 1, 2, 3  Next  
Reply to topic    Gentoo Forums Forum Index Gentoo Chat
View previous topic :: View next topic  
Author Message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5522

PostPosted: Wed Oct 31, 2018 2:32 am    Post subject: Why is our xorg-server setuid, again? Reply with quote

Looking at this GLSA and realising it's the first one in a long time I haven't already been on top of... we used to have a removable USE=suid precisely so unnecessary security risks could be avoided. Who thought it was a good idea to remove that choice?
Back to top
View user's profile Send private message
Marcih
Tux's lil' helper
Tux's lil' helper


Joined: 19 Feb 2018
Posts: 141

PostPosted: Wed Oct 31, 2018 11:36 am    Post subject: Reply with quote

I'm running x11-base/xorg-server-1.19.5-r2 with USE="-suid", my X server with regular user privilidges as per the Gentoo wiki guide without any problems.
As far as I understand, the GLSA mentioned in the OP only affects installations with the suid wrapper, right? Am I supposed to understand that the "suid" flag has been removed again in subsequent versions? If so, thanks for the heads-up Ant P., will be masking new Xorg server versions and I'm 100% with you.

What exactly is the reason for removing the option? Does running Xorg version 1.20.* as user break something? Would love to hear the maintainers chime in.
_________________
Bones McCracker wrote:
It wouldn't be so bad, if it didn't suck.

===
I refuse to move on from GTK+2.
Back to top
View user's profile Send private message
Anon-E-moose
Advocate
Advocate


Joined: 23 May 2008
Posts: 3656
Location: Dallas area

PostPosted: Wed Oct 31, 2018 11:52 am    Post subject: Reply with quote

Code:
$ grep suid xor*
xorg-server-1.19.5-r2.ebuild:IUSE="${IUSE_SERVERS} debug +glamor ipv6 libressl minimal selinux +suid systemd tslib +udev unwind xcsecurity"
xorg-server-1.19.5-r2.ebuild:      $(use_enable suid install-setuid)
xorg-server-1.20.1.ebuild:      $(use_enable systemd suid-wrapper)
xorg-server-1.20.2.ebuild:      $(use_enable systemd suid-wrapper)
xorg-server-1.20.3.ebuild:      $(use_enable systemd suid-wrapper)
xorg-server-9999.ebuild:      $(use_enable systemd suid-wrapper)


Odd

edit to add: from the 1.20 tarball, configure --help
Code:
  --enable-suid-wrapper   Build suid-root wrapper for legacy driver support on
                          rootless xserver systems (default: no)
...
  --enable-install-setuid Install Xorg server as owned by root with setuid bit
                          (default: auto)

_________________
Asus m5a99fx, FX 8320 - nouveau & radeon, oss4
Acer laptop E5-575, i3-7100u - i965, alsa
---both---
4.14.62 kernel, profile 17.0 (no-pie) amd64-no-multilib
gcc 7.3.0, eudev, openrc, openbox, palemoon
Back to top
View user's profile Send private message
Zucca
Veteran
Veteran


Joined: 14 Jun 2007
Posts: 1452
Location: KUUSANKOSKI, Finland

PostPosted: Wed Oct 31, 2018 12:20 pm    Post subject: Reply with quote

Do I need to expect bumping into any problems with -suid on xorg-server?
I took a look and I have +suid, which seems to be the default on the profile I use.
_________________
..: Zucca :..

Code:
ERROR: '--failure' is not an option. Aborting...
Back to top
View user's profile Send private message
Anon-E-moose
Advocate
Advocate


Joined: 23 May 2008
Posts: 3656
Location: Dallas area

PostPosted: Wed Oct 31, 2018 12:52 pm    Post subject: Reply with quote

From the 1.20.3 ebuild

Code:
        $(use_enable systemd suid-wrapper)
        $(use_enable !systemd install-setuid)



So basically without making changes to the ebuild

If "systemd flag" is set, then suid-wrappers is used, which turns off install-setuid (in configure)
if "not systemd flag" then install-setuid is enabled (explicity)


Edit to add: what they should have done is changed the suid flag to suid-wrappers (to make it clearer)
in the configure script install-setuid and suid-wrapper are mutually exclusive.
It shouldn't have been shoved under the systemd flag (which pulls in dbus and systemd) :roll:
_________________
Asus m5a99fx, FX 8320 - nouveau & radeon, oss4
Acer laptop E5-575, i3-7100u - i965, alsa
---both---
4.14.62 kernel, profile 17.0 (no-pie) amd64-no-multilib
gcc 7.3.0, eudev, openrc, openbox, palemoon
Back to top
View user's profile Send private message
Naib
Watchman
Watchman


Joined: 21 May 2004
Posts: 5573
Location: Removed by Neddy

PostPosted: Wed Oct 31, 2018 1:17 pm    Post subject: Reply with quote

Anon-E-moose wrote:
From the 1.20.3 ebuild

Code:
        $(use_enable systemd suid-wrapper)
        $(use_enable !systemd install-setuid)



So basically without making changes to the ebuild

If "systemd flag" is set, then suid-wrappers is used, which turns off install-setuid (in configure)
if "not systemd flag" then install-setuid is enabled (explicity)


Edit to add: what they should have done is changed the suid flag to suid-wrappers (to make it clearer)
in the configure script install-setuid and suid-wrapper are mutually exclusive.
It shouldn't have been shoved under the systemd flag (which pulls in dbus and systemd) :roll:
oh the irony of having a more secure xorg by installing systemd(shame that sort of opens every door and window you have)
_________________
The best argument against democracy is a five-minute conversation with the average voter
Great Britain is a republic, with a hereditary president, while the United States is a monarchy with an elective king
Back to top
View user's profile Send private message
Anon-E-moose
Advocate
Advocate


Joined: 23 May 2008
Posts: 3656
Location: Dallas area

PostPosted: Wed Oct 31, 2018 1:24 pm    Post subject: Reply with quote

Naib wrote:
oh the irony of having a more secure xorg by installing systemd(shame that sort of opens every door and window you have)


Especially considering https://forums.gentoo.org/viewtopic-t-1088680.html ([ GLSA 201810-10 ] systemd)
_________________
Asus m5a99fx, FX 8320 - nouveau & radeon, oss4
Acer laptop E5-575, i3-7100u - i965, alsa
---both---
4.14.62 kernel, profile 17.0 (no-pie) amd64-no-multilib
gcc 7.3.0, eudev, openrc, openbox, palemoon
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5522

PostPosted: Wed Oct 31, 2018 8:43 pm    Post subject: Reply with quote

They changed it to depend on… systemd? How does that make any damn sense‽

X doesn't need setuid unless you're running startx from the command line as a normal user without /dev access. That's an incredibly specific setup, and the people with it know what they are doing. Let them set USE=suid and let the rest of us with a sane service manager or graphical login not be exposed to high-severity vulns by default, ffs.
Back to top
View user's profile Send private message
Anon-E-moose
Advocate
Advocate


Joined: 23 May 2008
Posts: 3656
Location: Dallas area

PostPosted: Wed Oct 31, 2018 8:52 pm    Post subject: Reply with quote

It's still there ... in the configure ... it's just not in the ebuild, copy it to local and make changes, it's not rocket science or file a bug report, if there's not one already

The changes between 1.19.5 and 1.20.3 are just a few as far as suid stuff

Code:
-IUSE="${IUSE_SERVERS} debug +glamor ipv6 libressl minimal selinux +suid systemd tslib +udev unwind xcsecurity"
+IUSE="${IUSE_SERVERS} debug +glamor ipv6 libressl minimal selinux systemd +udev unwind xcsecurity"
...
-      $(use_enable suid install-setuid)
...
+      $(use_enable systemd suid-wrapper)
+      $(use_enable !systemd install-setuid)



Edit to add: already done https://bugs.gentoo.org/669648 go add your view. :lol:
_________________
Asus m5a99fx, FX 8320 - nouveau & radeon, oss4
Acer laptop E5-575, i3-7100u - i965, alsa
---both---
4.14.62 kernel, profile 17.0 (no-pie) amd64-no-multilib
gcc 7.3.0, eudev, openrc, openbox, palemoon
Back to top
View user's profile Send private message
josephg
l33t
l33t


Joined: 10 Jan 2016
Posts: 782
Location: usually offline

PostPosted: Thu Nov 01, 2018 11:29 am    Post subject: Reply with quote

Anon-E-moose wrote:
done https://bugs.gentoo.org/669648 go add your view. :lol:

Looking at that bug, I wonder if the Gentoo maintainer understands Xorg enough. Reminds me of OpenRC roadmap converging towards systemd. Is there a Gentoo push towards systemd?
_________________
"Growth for the sake of growth is the ideology of the cancer cell." Edward Abbey
Back to top
View user's profile Send private message
Naib
Watchman
Watchman


Joined: 21 May 2004
Posts: 5573
Location: Removed by Neddy

PostPosted: Thu Nov 01, 2018 11:45 am    Post subject: Reply with quote

josephg wrote:
Anon-E-moose wrote:
done https://bugs.gentoo.org/669648 go add your view. :lol:

Looking at that bug, I wonder if the Gentoo maintainer understands Xorg enough. Reminds me of OpenRC roadmap converging towards systemd. Is there a Gentoo push towards systemd?

I wouldn't say there is a Gentoo push to systemd as it is just a framework and there is both advocates and questioners of systemd within Gentoo.

You are probably right the Devs probably do not fully understand xorg BUT I would say xorg Devs don't understand xorg... This CVE is stupid and should not even occur...
_________________
The best argument against democracy is a five-minute conversation with the average voter
Great Britain is a republic, with a hereditary president, while the United States is a monarchy with an elective king


Last edited by Naib on Thu Nov 01, 2018 2:45 pm; edited 1 time in total
Back to top
View user's profile Send private message
Zucca
Veteran
Veteran


Joined: 14 Jun 2007
Posts: 1452
Location: KUUSANKOSKI, Finland

PostPosted: Thu Nov 01, 2018 2:42 pm    Post subject: Reply with quote

Naib wrote:
This CVE is stupid and should not even occur...
++
_________________
..: Zucca :..

Code:
ERROR: '--failure' is not an option. Aborting...
Back to top
View user's profile Send private message
Anon-E-moose
Advocate
Advocate


Joined: 23 May 2008
Posts: 3656
Location: Dallas area

PostPosted: Thu Nov 01, 2018 2:58 pm    Post subject: Reply with quote

The key to the cve is

Quote:
allows unprivileged users with the ability to log in to the system via physical console


That's the problem, it doesn't matter if X is suid or not.

If I have physical access to the system I can find innumerable ways to gain root access or access to information on the system, whether X is suid or not.

I run X suid, it's just habit, and I don't think anything of it, it's a single user system. If someone can physical access my computer then there's bigger problem than a suid X.
_________________
Asus m5a99fx, FX 8320 - nouveau & radeon, oss4
Acer laptop E5-575, i3-7100u - i965, alsa
---both---
4.14.62 kernel, profile 17.0 (no-pie) amd64-no-multilib
gcc 7.3.0, eudev, openrc, openbox, palemoon
Back to top
View user's profile Send private message
Naib
Watchman
Watchman


Joined: 21 May 2004
Posts: 5573
Location: Removed by Neddy

PostPosted: Thu Nov 01, 2018 3:08 pm    Post subject: Reply with quote

Anon-E-moose wrote:
The key to the cve is

Quote:
allows unprivileged users with the ability to log in to the system via physical console


That's the problem, it doesn't matter if X is suid or not.

If I have physical access to the system I can find innumerable ways to gain root access or access to information on the system, whether X is suid or not.

I run X suid, it's just habit, and I don't think anything of it, it's a single user system. If someone can physical access my computer then there's bigger problem than a suid X.
exactly, still the solution shouldn't be systemd
_________________
The best argument against democracy is a five-minute conversation with the average voter
Great Britain is a republic, with a hereditary president, while the United States is a monarchy with an elective king
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5522

PostPosted: Thu Nov 01, 2018 3:28 pm    Post subject: Reply with quote

Anon-E-moose wrote:
The key to the cve is

Quote:
allows unprivileged users with the ability to log in to the system via physical console


That's the problem, it doesn't matter if X is suid or not.

If I have physical access to the system I can find innumerable ways to gain root access or access to information on the system, whether X is suid or not.

I run X suid, it's just habit, and I don't think anything of it, it's a single user system. If someone can physical access my computer then there's bigger problem than a suid X.

You have that completely backwards.

X requires suid to log in via the physical console.

Having a suid binary with unsanitised command line parameters allows any user-level process to trivially pwn your box. They don't need a physical console.
Back to top
View user's profile Send private message
Anon-E-moose
Advocate
Advocate


Joined: 23 May 2008
Posts: 3656
Location: Dallas area

PostPosted: Thu Nov 01, 2018 3:32 pm    Post subject: Reply with quote

Naib wrote:
still the solution shouldn't be systemd


Agreed.

Even though the guy, according to the bug link I posted, admitted he was new to it and was working alone, I'm not sure why he chose the systemd flag to put it under.
Since being suid or not has nothing to do with systemd. But much of the noise in that bug thread is confusing it doesn't help matters.

They need 2 flags, put back suid (and it needs to send enabled/disabled, not just enabled, since it's auto in the configure script)
And suid-wrapper (only needs enabled as it's disabled by default)
Then people could set it how they needed.
_________________
Asus m5a99fx, FX 8320 - nouveau & radeon, oss4
Acer laptop E5-575, i3-7100u - i965, alsa
---both---
4.14.62 kernel, profile 17.0 (no-pie) amd64-no-multilib
gcc 7.3.0, eudev, openrc, openbox, palemoon
Back to top
View user's profile Send private message
Anon-E-moose
Advocate
Advocate


Joined: 23 May 2008
Posts: 3656
Location: Dallas area

PostPosted: Thu Nov 01, 2018 3:44 pm    Post subject: Reply with quote

Ant P. wrote:
Anon-E-moose wrote:
The key to the cve is

Quote:
allows unprivileged users with the ability to log in to the system via physical console


That's the problem, it doesn't matter if X is suid or not.

If I have physical access to the system I can find innumerable ways to gain root access or access to information on the system, whether X is suid or not.

I run X suid, it's just habit, and I don't think anything of it, it's a single user system. If someone can physical access my computer then there's bigger problem than a suid X.

You have that completely backwards.

X requires suid to log in via the physical console.


No you don't need X to be suid, you need permission for input and video groups or perhaps the network group/access if not suid.
https://wiki.gentoo.org/wiki/Non_root_Xorg

Quote:
Having a suid binary with unsanitised command line parameters allows any user-level process to trivially pwn your box. They don't need a physical console.


If they can access my internal network then there's bigger problems than a suid X or whichever program.


IMO, everything that people are getting all up in arms and running around screaming "the sky is falling" is predicated on them being paranoid about either access to the physical machine or the network it runs on. Both of which can be controlled.
_________________
Asus m5a99fx, FX 8320 - nouveau & radeon, oss4
Acer laptop E5-575, i3-7100u - i965, alsa
---both---
4.14.62 kernel, profile 17.0 (no-pie) amd64-no-multilib
gcc 7.3.0, eudev, openrc, openbox, palemoon
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5522

PostPosted: Thu Nov 01, 2018 3:56 pm    Post subject: Reply with quote

Anon-E-moose wrote:
No you don't need X to be suid, you need permission for input and video groups or perhaps the network group/access if not suid.
https://wiki.gentoo.org/wiki/Non_root_Xorg

No need to paraphrase my earlier posts at me, I know how it works.

And you're continuing to miss the point. We *had* a mitigation for a high-level CVE. Someone too lazy to RTFM took that away in favour of coercing users onto systemd. This is a developer attitude problem.
Back to top
View user's profile Send private message
asturm
Developer
Developer


Joined: 05 Apr 2007
Posts: 6788
Location: Austria

PostPosted: Thu Nov 01, 2018 4:02 pm    Post subject: Reply with quote

Ant P. wrote:
in favour of coercing users onto systemd.

That's a baseless assumption.
_________________
backend.cpp:92:2: warning: #warning TODO - this error message is about as useful as a cooling unit in the arctic
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5522

PostPosted: Thu Nov 01, 2018 4:05 pm    Post subject: Reply with quote

Save the hot air and posturing for when users are no longer being put at risk.
Back to top
View user's profile Send private message
Anon-E-moose
Advocate
Advocate


Joined: 23 May 2008
Posts: 3656
Location: Dallas area

PostPosted: Thu Nov 01, 2018 4:07 pm    Post subject: Reply with quote

No, I don't think I'm missing the point at all.
1. The CVE was based on developer laziness and not at all what I would consider "high level", and the knee-jerk response to "remove the suid flag" was stupid.

2. I pointed out earlier on that it was wrong to stuff what they did under the systemd flag.

3. I make no judgment on whether the ebuild dev was too lazy to RTFM or just overworked (I don't know what else he handles), and judging by his input in the bug I linked he seems to be trying to work with people for the best solution, without extra work (for him) being created in the future due to it.

4. My response about suid X was based on your last statement "X requires suid to log in via the physical console."

Anyway, no arguments from me, y'all have fun.
_________________
Asus m5a99fx, FX 8320 - nouveau & radeon, oss4
Acer laptop E5-575, i3-7100u - i965, alsa
---both---
4.14.62 kernel, profile 17.0 (no-pie) amd64-no-multilib
gcc 7.3.0, eudev, openrc, openbox, palemoon
Back to top
View user's profile Send private message
asturm
Developer
Developer


Joined: 05 Apr 2007
Posts: 6788
Location: Austria

PostPosted: Thu Nov 01, 2018 4:09 pm    Post subject: Reply with quote

Ant P. wrote:
Save the hot air and posturing

Speak for yourself.
_________________
backend.cpp:92:2: warning: #warning TODO - this error message is about as useful as a cooling unit in the arctic
Back to top
View user's profile Send private message
josephg
l33t
l33t


Joined: 10 Jan 2016
Posts: 782
Location: usually offline

PostPosted: Thu Nov 01, 2018 4:59 pm    Post subject: Reply with quote

Wouldn't setgid be safer than suid, if at all necesary? http://wiki.gentoo.org/wiki/Non_root_Xorg#Alternative_method
_________________
"Growth for the sake of growth is the ideology of the cancer cell." Edward Abbey
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13384

PostPosted: Fri Nov 02, 2018 2:13 am    Post subject: Reply with quote

josephg wrote:
Wouldn't setgid be safer than suid, if at all necesary? http://wiki.gentoo.org/wiki/Non_root_Xorg#Alternative_method
Yes, except that setgid can only set one gid, and according to those instructions, you need to guarantee two gids. However, a setuid-root wrapper that changed its groups, then changed effective uid to real id, then exec'd Xorg, should be sufficient. Such a wrapper could be quite small and easy to audit, since it would not need to accept any user configurability. Xorg has a wrapper, but it is not as trivial as I would like, since it goes poking about trying to determine at runtime whether to retain root or drop it. That makes it complex enough that I cannot tell at a glance whether it might have a security problem lurking. I envisioned a wrapper that is hardcoded to work exactly one way.
Back to top
View user's profile Send private message
ChrisJumper
Advocate
Advocate


Joined: 12 Mar 2005
Posts: 2204
Location: Germany

PostPosted: Fri Nov 02, 2018 9:26 am    Post subject: Reply with quote

Marcih wrote:
I'm running x11-base/xorg-server-1.19.5-r2 with USE="-suid", my X server with regular user privilidges as per the Gentoo wiki guide without any problems.


Thank you for that hint! Before i try to use wayland on unimportant Desktop Systems, but it did not work so well.. and on Gaming Machines the nvidia drivers did not support it when i try to migrate the last time.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Gentoo Chat All times are GMT
Goto page 1, 2, 3  Next
Page 1 of 3

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum