LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 01-08-2019, 09:06 PM   #1
wichn
LQ Newbie
 
Registered: Jan 2019
Posts: 3

Rep: Reputation: Disabled
Non root Xorg on Slackware


Debian has moved to non root xorg for a long time, and OpenBSD just removed SUID bit on the Xorg binary for security concerns. What prevents Slackware from doing so?

Following the Gentoo wiki, I recompiled xorg-server with
Code:
--disable-suid-wrapper --disable-install-setuid
then executed
Code:
$ chown :input /usr/bin/Xorg
$ chmod g+s /usr/bin/Xorg
and everything works fine.

Can we have non root Xorg by default?
 
Old 01-08-2019, 09:49 PM   #2
ehartman
Member
 
Registered: Jul 2007
Location: Delft, The Netherlands
Distribution: Slackware
Posts: 301

Rep: Reputation: 133Reputation: 133
Quote:
Originally Posted by wichn View Post
What prevents Slackware from doing so?
But how did you start Xorg?

If it's from a full-screen login (through a display manager), it is started as root anyway, so the setuid bit doesn't make a difference, but a lot of users still login in text mode and then use "startx" to start the GUI, and then it is started by a (I hope) non-privileged user and will need the setuid to run as root, so that it can control the resources (screen, keyboard and mouse etc) that it needs.
At least, that's how I see it.

As far as I know Debian always uses gdm to login, and - as I said above - then Xorg has already been started before you login.
 
Old 01-09-2019, 03:53 AM   #3
average_user
Member
 
Registered: Dec 2010
Location: Warsaw, Poland
Distribution: Slackware
Posts: 323

Rep: Reputation: 124Reputation: 124
Cool, I considered using capabilities https://www.linuxquestions.org/quest...ml#post5946081 instead of simply changing group ownership to owner.
Quote:
Originally Posted by ehartman View Post
But how did you start Xorg?

If it's from a full-screen login (through a display manager), it is started as root anyway, so the setuid bit doesn't make a difference, but a lot of users still login in text mode and then use "startx" to start the GUI, and then it is started by a (I hope) non-privileged user and will need the setuid to run as root, so that it can control the resources (screen, keyboard and mouse etc) that it needs.
At least, that's how I see it.
Not necessarily. As OP said it should be enough to change group ownerhsip. Notice that at least some files that Xorg keeps open belong to `input' group:
Code:
$ sudo lsof -p $(pidof Xorg) | grep event
Xorg    2214 root   14u      CHR              13,67      0t0      11325 /dev/input/event3
Xorg    2214 root   15u      CHR              13,66      0t0      11324 /dev/input/event2
Xorg    2214 root   16u      CHR              13,75      0t0      27705 /dev/input/event11
Xorg    2214 root   17u      CHR              13,76      0t0      27707 /dev/input/event12
Xorg    2214 root   18u      CHR              13,74      0t0   98870892 /dev/input/event10
Xorg    2214 root   19u      CHR              13,64      0t0      11322 /dev/input/event0
Xorg    2214 root   20u      CHR              13,78      0t0      12427 /dev/input/event14
Xorg    2214 root   21u      CHR              13,65      0t0      11323 /dev/input/event1
Xorg    2214 root   22u      CHR              13,77      0t0   88533633 /dev/input/event13
$ ls -l /dev/input/event13
crw-rw---- 1 root input 13, 77 Dec 14 14:54 /dev/input/event13
 
Old 01-10-2019, 02:33 AM   #4
igadoter
Senior Member
 
Registered: Sep 2006
Location: wroclaw, poland
Distribution: many, primary Slackware
Posts: 1,185
Blog Entries: 1

Rep: Reputation: Disabled
I guess the simplest thing is let OP start Slackware in runlevel 3, then start Xorg with startx command - and post how it works.
 
Old 01-10-2019, 05:29 AM   #5
Petri Kaukasoina
Member
 
Registered: Mar 2007
Posts: 364

Rep: Reputation: 213Reputation: 213Reputation: 213
Quote:
Originally Posted by wichn View Post
Code:
--disable-suid-wrapper --disable-install-setuid
...
$ chown :input /usr/bin/Xorg
$ chmod g+s /usr/bin/Xorg
If X.Org recommends running it SGID input then it's ok. Otherwise it could be a security problem. The xserver has been written with the knowledge that it may be SUID root, but maybe the programmers didn't take into account that someone would run it as SGID input. There is a risk of privilege escalation to group input: any other user able to run /usr/bin/Xorg could possible be able to snoop the user by accessing /dev/input, if not taken care of.

X.Org recommends the use of a display manager to start X sessions, which does not require Xorg to be installed SUID root. But then startx won't work.

Last edited by Petri Kaukasoina; 01-10-2019 at 05:48 AM.
 
Old 01-10-2019, 08:11 AM   #6
chemfire
Member
 
Registered: Sep 2012
Posts: 211

Rep: Reputation: Disabled
Petri,

I generally agree with you that the advice of the maintainers should be followed, as far as permissions. Go generally I would not think however that moving from SUID - root to SGID anything other than root; would pose much of a threat. When your uid is root (absent things like SELinux) basically all kernel authorization checks just say "yes." So anything you might touch from a pid running as group input, you'd definitely be able to touch from pid running as uid 0.

For this to be a new vulnerability there would have to be some pretty sloppy code out there that stops doing authorization checks within X, when X isnt root. Which is possible but probably not likely.
 
Old 01-10-2019, 11:03 AM   #7
Petri Kaukasoina
Member
 
Registered: Mar 2007
Posts: 364

Rep: Reputation: 213Reputation: 213Reputation: 213
I guess you are right. I took a look at xorg-server-1.20.3/os/utils.c in slackware-current xorg-server code and it looks like it also checks for the possibility of the effective group changed and not just effective uid when deciding whether it's run privileged or not, and decides whether user input should be checked or not. The comment in line 1787 only talks about checking the euid, but the code really checks the egid, too (line 1732).

Edit:

In slackware-14.2 the comment is right. It only checks for suid and not sgid. Look at line 1855 in xorg-server-1.18.3/os/utils.c. It sanitates user input only when run suid root, not when the effective group is changed. They have fixed it later.

Last edited by Petri Kaukasoina; 01-10-2019 at 11:16 AM.
 
Old 01-10-2019, 11:33 AM   #8
Gordie
Member
 
Registered: Aug 2007
Location: Nolalu, Ontario, Canada
Posts: 471

Rep: Reputation: 164Reputation: 164
Hmm, a single post ever and it starts another fluster cluck thread
 
Old 01-12-2019, 03:28 PM   #9
ttk
Member
 
Registered: May 2012
Location: Sebastopol, CA
Distribution: Slackware64
Posts: 751
Blog Entries: 26

Rep: Reputation: 926Reputation: 926Reputation: 926Reputation: 926Reputation: 926Reputation: 926Reputation: 926Reputation: 926
Quote:
Originally Posted by Gordie View Post
Hmm, a single post ever and it starts another fluster cluck thread
What? No, this seems like a normal, well-functioning technical discussion. As first posts go, it's a good one.
 
1 members found this post helpful.
Old Yesterday, 01:46 PM   #10
enorbet
Senior Member
 
Registered: Jun 2003
Location: Virginia
Distribution: Slackware = Main OpSys for decades while testing others to keep up
Posts: 2,076

Rep: Reputation: 1994Reputation: 1994Reputation: 1994Reputation: 1994Reputation: 1994Reputation: 1994Reputation: 1994Reputation: 1994Reputation: 1994Reputation: 1994Reputation: 1994
I don't have this problem since I always boot to runlevel3, login as actual root, and use "kdm" to get into "X" at the Login/Chooser. I never use "startx". I suppose it's just a hangover from old security concerns, but it works, it's safe, and it's trivial to choose any number of WM/DEs or drop back to runlevel3. I like Failsafes, even if they require an extra step or two or redundancies.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
how can i write to a root:root 750 file with a non-root user? Droa Linux - Newbie 1 05-14-2012 08:49 PM
xkb not switching keymap on non-root users (xorg) z3r0v3rs10n Linux - Software 0 05-21-2007 05:17 PM
Monitoring traffic tool/web based(non-cgi?)/non-SNMP/low CPU usage/non-real time pe2338 Linux - Networking 3 05-04-2006 02:00 PM
mounting hardrive via non-root and using it via non-root Paridoth Mandriva 1 11-03-2004 06:55 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 05:34 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration