[SOLVED] Getting Rootless Xorg Working in Slackware-current

Jeebizz · 12-16-2021, 08:55 PM

Quote:

Originally Posted by glorsplitz

Code:

chmod 755 /usr/libexec/Xorg*

Code:

ps -af | grep X

no root X identified processes, just normal user

seems to be working

So a chmod and thats it? I am curious to try this, but I am running 14.2 (I did update the xorg security from the email list though) - If also thats all it takes, I hope maybe Pat has already or will plan on changing this soon on --Current? Unless there are still technical reasons to default as is and leave it up to the user...

-edit

On second thought, I think I won't try this on my machine, but I will on a VM (--Current) , I'll probably end up breaking X in 14.2.

drgibbon · 12-16-2021, 09:16 PM

Quote:

Originally Posted by glorsplitz

Code:

chmod 755 /usr/libexec/Xorg*

Code:

ps -af | grep X

no root X identified processes, just normal user

seems to be working

I think ps -ef is what you want (or -Af):

Code:

ps -ef | grep Xorg
root     11789 11786  8 11:12 tty7     00:00:04 /usr/libexec/Xorg -nolisten tcp -auth /var/run/sddm/{94682145-7605-4fa1-93d2-bd747c93c0af} -background none -noreset -displayfd 17 -seat seat0 vt7

The latest updates for -current and `chmod 755 /usr/libexec/Xorg*` aren't changing the process away from root for me, at least at runlevel 4.

Jeebizz · 12-16-2021, 09:55 PM

Quote:

Originally Posted by drgibbon

I think ps -ef is what you want (or -Af):

Code:

ps -ef | grep Xorg
root     11789 11786  8 11:12 tty7     00:00:04 /usr/libexec/Xorg -nolisten tcp -auth /var/run/sddm/{94682145-7605-4fa1-93d2-bd747c93c0af} -background none -noreset -displayfd 17 -seat seat0 vt7

The latest updates for -current and `chmod 755 /usr/libexec/Xorg*` aren't changing the process away from root for me, at least at runlevel 4.

What if you add yourself to the video group? I don't know just throwing stuff at the wall and maybe you have already done that, but who knows.

0XBF · 12-16-2021, 09:59 PM

AFAIK the only display manager that supports starting rootless Xorg is GDM.

I found this commit to add rootless Xorg support to sddm in their "develop" branch, but it doesn't seem to be in the sddm-0.19.0 version that was the last release. https://github.com/sddm/sddm/pull/13...d4f72edb86c655

Jeebizz · 12-16-2021, 10:09 PM

I did not change to inittab 4 , I ran startx (KDE):

Code:

bash-5.1$ ps -af | grep X
slacker   1291  1270  0 21:56 tty1     00:00:00 xinit /home/slacker/.xinitrc -- /usr/bin/X :0 vt1 -keeptty -auth /home/slacker/.serverauth.1270
slacker   1292  1291  2 21:56 tty1     00:00:01 /usr/libexec/Xorg :0 vt1 -keeptty -auth /home/slacker/.serverauth.1270
slacker   1778  1775  0 21:57 pts/1    00:00:00 grep X
bash-5.1$

I exited, and then checked again under full wayland (startkwayland (KDE))

Code:

bash-5.1$ ps -af | grep X
slacker   1827  1821  1 21:58 tty1     00:00:00 /usr/bin/Xwayland :0 -auth /run/user/1000/xauth_zhDEuh -listenfd 46 -listenfd 47 -displayfd 38 -rootless -wm 41
slacker   2093  2090  0 21:59 pts/1    00:00:00 grep X
bash-5.1$

Still running as non root, so far so good. Now I changed to inittab 4 (Also , both sddm and my user "slacker" is added to the video group...Err, but I got this now:

Click image for larger version

Name: VirtualBox_Slackware --Current_16_12_2021_22_07_48.png
Views: 29
Size: 9.6 KB
ID: 37875

-edit

Quote:

Originally Posted by 0XBF

AFAIK the only display manager that supports starting rootless Xorg is GDM.

I found this commit to add rootless Xorg support to sddm in their "develop" branch, but it doesn't seem to be in the sddm-0.19.0 version that was the last release. https://github.com/sddm/sddm/pull/13...d4f72edb86c655

Well shit, I found that out the hard way

-edit2

I clicked ok, then got a login though:

Click image for larger version

Name: VirtualBox_Slackware --Current_16_12_2021_22_10_50.jpg
Views: 20
Size: 171.0 KB
ID: 37876

-edit3

Checked and it shows I am running X (I didn't get a change to even choose XSession or Full Wayland)

Code:

slacker@vslack:~$ ps -af | grep X
slacker   1716  1713  0 22:12 pts/1    00:00:00 grep X
slacker@vslack:~$

franzen · 12-17-2021, 12:32 AM

Quote:

Originally Posted by kjhambrick

Is there a workaround if I do not ever want to execute startx automatically ?
Looks loke all I need to do is leave this line ...

Yes, i just added that line to have the same login flow as if using xdm.
Login in tty2 is still possible without automatically starting X.

Quote:

IOW ... Does the modified version of xorg work if you type `startx` at the bash prompt ?

Yes.

LuckyCyborg · 12-17-2021, 12:39 AM

Quote:

Originally Posted by Jeebizz

So a chmod and thats it? I am curious to try this, but I am running 14.2 (I did update the xorg security from the email list though) - If also thats all it takes, I hope maybe Pat has already or will plan on changing this soon on --Current? Unless there are still technical reasons to default as is and leave it up to the user...

Will work ONLY on the latest updated -current.

Will NOT work on Slackware 14.2 because its Xorg server is built without logind support and, guess what? There is no such thing like a logind server.

franzen · 12-17-2021, 12:55 AM

Quote:

Originally Posted by 0XBF

When I run 'startx' for a rootless Xorg session I see this error was printed to the console after ending the graphical session:

Code:

xf86EnableIOPorts: failed to set IOPL for I/O (Operation not permitted)

Anyone else see the same thing?

Yes, but only occasionally after the session. I also use the self-built xorg-server.

As someone else noted, by starting X via runlevel 4 the X process belongs to root again. This is expected afaik.

Jeebizz · 12-17-2021, 01:32 AM

Quote:

Originally Posted by LuckyCyborg

Will work ONLY on the latest updated -current.

Will NOT work on Slackware 14.2 because its Xorg server is built without logind support and, guess what? There is no such thing like a logind server.

I figured, but as also pointed out by others, in inittab 4 , sddm complains - and it doesn't seem to work. I have added my user in groups to the video group and sddm is also in the video group, but still nothing. I hope there is a solution - and again if possible - I hope this is by default in the NEXT release at least (15.1).

Charadon · 12-17-2021, 11:47 AM

Well, I updated my xorg-server to the main repo ones, and after applying the chmod, rootless xorg still works! I feel like this should be added somewhere in the Slackware Wiki because unless someone read that changelog or was following this thread, they'll never figure that out, and it should also mention that SDDM doesn't support rootless and that, as of right now, you need to run your Xorg using startx to get it rootless.

Tonus · 12-17-2021, 01:35 PM

You almost did it :-)

corvian · 12-17-2021, 06:22 PM

I was looking at the changelog and noticed efforts to patch xorg and whatnot to achieve rootless with elogind. I am able to do that without any seat managers (elogind) or suid by applying the following steps:

- add your user to the following groups: video,input
- in /etc/X11/Xwrapper.config write: needs_root_rights = no
- enable DRM for your video driver
- chown youruser:tty /dev/tty1
- startx -- tty1

Not tested with desktop environments, only window managers.
I am on void linux awaiting slack 15 to try it out. Tell me if that works for you on current slack. If it does maybe Pat should be made aware that he does not need to do the extra work (nor use elogind).

Charadon · 12-17-2021, 06:24 PM

Quote:

Originally Posted by corvian

I was looking at the changelog and noticed efforts to patch xorg and whatnot to achieve rootless with elogind. I am able to do that without any seat managers (elogind) or suid by applying the following steps:

- add your user in the following groups: video,input
- in /etc/X11/Xwrapper.config write: needs_root_rights = no
- enable DRM for your video driver
- chown youruser:youruser /dev/tty1
- startx -- tty1

Not tested with desktop environments, only window managers.
I am on void linux awaiting slack 15 to try it out. Tell me if that works for you on current slack. If it does maybe Pat should be made aware that he does not need to do the extra work (nor use elogind).

Wouldn't /dev/tty1 get overridden upon restart to not be owned by the user anymore? Also, adding yourself to video and input groups, as others have said is a bit of a security nightmare.

corvian · 12-17-2021, 06:32 PM

It does not get overwritten on my system, although I have seen that happen. I don't remember why, but it stopped in the end. I think I was using systemd distro at the time.
I can't comment on the security part, maybe someone else can.

Charadon · 12-17-2021, 07:17 PM

Quote:

Originally Posted by corvian

It does not get overwritten on my system, although I have seen that happen. I don't remember why, but it stopped in the end. I think I was using systemd distro at the time.
I can't comment on the security part, maybe someone else can.

From my limited knowledge, the main issue with the video and input group is that it gives you full access to video and input system-wide. Which is pretty bad from what I know. While logind tries to make you access what you need and nothing more.