| View previous topic :: View next topic |
| Author |
Message |
Punchcutter
Guru
Joined: 11 Feb 2007
Posts: 354
|
 Posted: Mon May 27, 2013 9:46 am Post subject: Why does it seem that xorg is expecting USE="suid" |
 |
|
So... a while ago I upgraded xorg-server and found that there's a USE flag "suid" that seems to be turned on by default, even though the description says that it brings along potential for security vulnerability. Well, sure... suid, duh.
Well, I thought, I don't need that, so I merged without it. Next thing I find is that xorg can't write its log files in /var/log, for permissions reasons, and I can't find a simple way around this, so I (perhaps stupidly) turned suid back on, remerged, and went happily about my life.
On the latest upgrade I was reminded of this, tried the above again (-suid) and have the same problem.
Can someone tell me why such a potentially major security hole seems to be being forced on people? OK, so it's really not "forced", but for this to be the expected mode of operation of X seems really, really suspicious to me. I don't even know why anyone would want their X server to run suid, although I'm sure there's a fringe of users who need this feature. Certainly not the average user, no?
Has anyone found a simple workaround? I thought, if I change the group that owns /var/log, to a group that I can reasonably belong to (currently owner is root:root), and then set 'w' for group, that should fix the log problem. But I don't know what would be a good choice of group to own /var/log. I want to stick to "best practices".
Any advice highly appreciated. I really want to go to -suid for xorg.... do not like running this way. Thanks. |
|
| Back to top |
|
 |
Gusar
Advocate
Joined: 09 Apr 2005
Posts: 2665
Location: Slovenia
|
| Posted: Mon May 27, 2013 11:31 am Post subject: |
|
|
Whether you have X suid or not, it will run as root. And everything running as root is potentially a bigger security threat than something not running as root. That's all there is to it. There's no inherent "OMG I'm in serious danger!!!" aspect about it, no direct security hole, X has been running as root since forever.
BTW, in the past, Gentoo always installed X as suid. Now you have the choice to not have it suid. This works when you use a display manager (gdm, kdm, ...) to launch it. If you launch it with startx, it needs to be suid. But, like I said, in both cases it'll run as root. It has to do with input handling. Right now, if you want X to not run as root, you have to give all users access to input device nodes, but that means users can spy on each other's input, which is of course crazy. Solving that problem requires the kernel to implement revoke(), but the few attempts to implement it failed. |
|
| Back to top |
|
|
khayyam
Watchman
Joined: 07 Jun 2012
Posts: 6227
Location: Room 101
|
| Posted: Mon May 27, 2013 12:02 pm Post subject: |
|
|
Punchcutter ...
rather than suid you might use "capabilities" (posix 1003.1e-type capabilities):
| Code: | | # setcap cap_chown,cap_dac_override,cap_sys_rawio,cap_sys_admin+ep /usr/bin/Xorg |
See 'man capabilities' ... also, you will need sys-libs/libcap for the setcap/getcap executables.
best ... khay |
|
| Back to top |
|
|
Ant P.
Watchman
Joined: 18 Apr 2009
Posts: 6920
|
| Posted: Mon May 27, 2013 2:13 pm Post subject: Re: Why does it seem that xorg is expecting USE="suid&q |
|
|
| Punchcutter wrote: | | Can someone tell me why such a potentially major security hole seems to be being forced on people? |
X needs access to various hardware, which implies root. This has been the case since the 1980s.
The work to make it run without root has been going on for the better part of a decade but isn't yet finished. Until that work becomes available in a stable version, or unless you're helping to develop it, you should continue to use it as you always have done - i.e. leave that USE flag untouched. |
|
| Back to top |
|
|
mv
Watchman
Joined: 20 Apr 2005
Posts: 6747
|
| Posted: Mon May 27, 2013 3:27 pm Post subject: |
|
|
| khayyam wrote: | | Code: | | # setcap cap_chown,cap_dac_override,cap_sys_rawio,cap_sys_admin+ep /usr/bin/Xorg |
|
Tanks for the info. I never tried which capabilities are needed for X.
May I suggest that you open a bug for supporting this with USE=caps in xorg-server?
I suppose many people would like to have this set automatically even if it is not so much different from SUID. |
|
| Back to top |
|
|
Fran
Guru
Joined: 29 Feb 2004
Posts: 530
Location: Coruña (Spain)
|
| Posted: Mon May 27, 2013 7:04 pm Post subject: Re: Why does it seem that xorg is expecting USE="suid&a |
|
|
| Ant P. wrote: | | The work to make it run without root has been going on for the better part of a decade but isn't yet finished. Until that work becomes available in a stable version, or unless you're helping to develop it, you should continue to use it as you always have done - i.e. leave that USE flag untouched. |
I thought it was possible since KMS... what's left in X that must have root access? |
|
| Back to top |
|
|
Gusar
Advocate
Joined: 09 Apr 2005
Posts: 2665
Location: Slovenia
|
| Posted: Mon May 27, 2013 7:30 pm Post subject: Re: Why does it seem that xorg is expecting USE="suid&a |
|
|
| Fran wrote: | | what's left in X that must have root access? |
I mentioned it in my post above - input stuff. |
|
| Back to top |
|
|
khayyam
Watchman
Joined: 07 Jun 2012
Posts: 6227
Location: Room 101
|
| Posted: Mon May 27, 2013 7:37 pm Post subject: |
|
|
| mv wrote: | May I suggest that you open a bug for supporting this with USE=caps in xorg-server?
I suppose many people would like to have this set automatically even if it is not so much different from SUID. |
mv ... I seem to remember there being one already open but all I can find is bug #450364 in which this would seem to fall under comment 2. Also, the fcaps.eclass (see: bug #460810 and bug #364487) has issues that I think are in part why there isn't wider support for caps.
best ... khay |
|
| Back to top |
|
|
Punchcutter
Guru
Joined: 11 Feb 2007
Posts: 354
|
| Posted: Tue May 28, 2013 5:27 am Post subject: |
|
|
| Thanks for the explanation and discussion, everyone. |
|
| Back to top |
|
|
|
Desktop Environments
