Re: X11 should not run as root or?

[therealcyclist]

Am Sun, Jun 04, 2023 at 07:54:48PM -0400 schrieb Greg Wooledge:

> If you're not willing to do the work to diagnose your own system, then
> this thread is over.

Guess it's over. thanks to all who have tried to help.

--

Re: X11 should not run as root or?

[Greg Wooledge]

On Sun, Jun 04, 2023 at 11:43:29PM +, therealcyclist wrote:
> Am Sun, Jun 04, 2023 at 07:18:36PM -0400 schrieb Greg Wooledge:
> > If you are running "startx" on tty1 in Debian 11 and Xorg is running
> > as root instead of your regular user account, then START THERE.
> 
> I have tested debian 12 not 11.

OK.

> > What video card do you have?
> 
> nvidia/amd *seperate systems

Pick ONE of the systems, and go into DETAIL.  Actually RUN COMMANDS
and figure shit out!

What is the ACTUAL CARD?

lspci -nn | grep -i vga

That may not be a strong enough command for all setups.  I don't remember
how you have to grep when dealing with Optimus systems.  If your system
has multiple video cards, say so.

> > Which driver is Xorg using?  (Find the actually correct Xorg.0.log file --
> > there may be more than one -- and find the driver details in there.)
> 
> nvidia/amdgpu *seperate systems

Find the log file and ACTUALLY CHECK IT.

None of this hand-waving bullshit.

> > Is the xserver-xorg-legacy package installed?
> 
> apt install i3-wm xinit 
> don't pull it. 

Run "dpkg -l xserver-xorg-legacy" to find out whether it's installed.

I am not aware of any way startx as a non-root user could launch an Xorg
as root if that package is not installed, so I'm VERY curious to learn
the actual details of what is going on with your system.

> > Do you have all the firmware installed that your video card wants?
> > (Look for "firmware" in dmesg.)
> 
> firmware-amd-graphics/firmware-nvidia-gsp

Actually RUN THE COMMAND.  dmesg | grep -i firmware

Find out what is ACTUALLY HAPPENING.

No hand-waving.

No guessing.

No generalizing.

No conflating multiple systems together as if they are one system.

Pick one system and DO THE ACTUAL WORK.

If you're not willing to do the work to diagnose your own system, then
this thread is over.

Re: X11 should not run as root or?

[therealcyclist]

Am Sun, Jun 04, 2023 at 07:18:36PM -0400 schrieb Greg Wooledge:
> On Sun, Jun 04, 2023 at 11:03:27PM +, therealcyclist wrote:
> > Am Sun, Jun 04, 2023 at 08:26:55PM +0200 schrieb Vincent Lefevre:
> > > i3-wm is a window manager, not a display manager. So it depends on
> > > what display manager you're using (if any).
> > 
> > so we assume that the majority use a display manager who cares about this 
> > via polkit or similar.
> > x11 as root by default is a security risk to which all those running i3-wm 
> > under xinit are unnecessarily exposed.
> > unless they know what they are doing.
> 

> If you are running "startx" on tty1 in Debian 11 and Xorg is running
> as root instead of your regular user account, then START THERE.

I have tested debian 12 not 11.

> What video card do you have?

nvidia/amd *seperate systems

> Which driver is Xorg using?  (Find the actually correct Xorg.0.log file --
> there may be more than one -- and find the driver details in there.)

nvidia/amdgpu *seperate systems

> Is the xserver-xorg-legacy package installed?

apt install i3-wm xinit 
don't pull it. 

> Do you have all the firmware installed that your video card wants?
> (Look for "firmware" in dmesg.)

firmware-amd-graphics/firmware-nvidia-gsp

--

Re: X11 should not run as root or?

[Greg Wooledge]

On Sun, Jun 04, 2023 at 11:03:27PM +, therealcyclist wrote:
> Am Sun, Jun 04, 2023 at 08:26:55PM +0200 schrieb Vincent Lefevre:
> > i3-wm is a window manager, not a display manager. So it depends on
> > what display manager you're using (if any).
> 
> so we assume that the majority use a display manager who cares about this via 
> polkit or similar.
> x11 as root by default is a security risk to which all those running i3-wm 
> under xinit are unnecessarily exposed.
> unless they know what they are doing.

Dear gods.  Stop babbling about political nonsense!

If you are running "startx" on tty1 in Debian 11 and Xorg is running
as root instead of your regular user account, then START THERE.

That is the PROBLEM.  Now let's DIAGNOSE it.  We need DETAILS!

What video card do you have?

Which driver is Xorg using?  (Find the actually correct Xorg.0.log file --
there may be more than one -- and find the driver details in there.)

Is the xserver-xorg-legacy package installed?

Do you have all the firmware installed that your video card wants?
(Look for "firmware" in dmesg.)

Here are some things that DO NOT MATTER:

 * the name of the window manager you are using, if any

 * the name of any display manager that is not installed, because you're
   not using any, because you're running startx, and we already KNOW THIS

 * polkit

 * anything you do AFTER startx

Re: X11 should not run as root or?

[therealcyclist]

Am Sun, Jun 04, 2023 at 08:26:55PM +0200 schrieb Vincent Lefevre:
> On 2023-06-02 22:21:56 +, therealcyclist wrote:
> > Am Fri, Jun 02, 2023 at 07:07:05PM +0200 schrieb Michel Verdier:
> > > Le 2 juin 2023 therealcyclist a écrit :
> > > 
> > > > I tried the new Debian bookworm installer rc4 and i manually installed 
> > > > i3-wm.
> > > > I started i3 from tty with startx command as user.
> > > > to my surprise i found out that the xorg process is running as root.
> > > > that can't be intentional, can it?
> > > 
> > > Maybe because some display managers want xorg as root
> > > https://wiki.archlinux.org/title/Xorg#Rootless_Xorg
> > 
> > You linked to the Archlinux Wiki and I have installed i3-wm under
> > archlinux and there X11 runs without root privileges by default.
> > 
> > I assumed that it is the same under Debian because Debian is known
> > for having relatively safe default values.
> > It looks like i3 doesn't need x11 as root either.
> 
> i3-wm is a window manager, not a display manager. So it depends on
> what display manager you're using (if any).
> 

so we assume that the majority use a display manager who cares about this via 
polkit or similar.
x11 as root by default is a security risk to which all those running i3-wm 
under xinit are unnecessarily exposed.
unless they know what they are doing.

---

Re: X11 should not run as root or?

[Vincent Lefevre]

On 2023-06-02 22:21:56 +, therealcyclist wrote:
> Am Fri, Jun 02, 2023 at 07:07:05PM +0200 schrieb Michel Verdier:
> > Le 2 juin 2023 therealcyclist a écrit :
> > 
> > > I tried the new Debian bookworm installer rc4 and i manually installed 
> > > i3-wm.
> > > I started i3 from tty with startx command as user.
> > > to my surprise i found out that the xorg process is running as root.
> > > that can't be intentional, can it?
> > 
> > Maybe because some display managers want xorg as root
> > https://wiki.archlinux.org/title/Xorg#Rootless_Xorg
> 
> You linked to the Archlinux Wiki and I have installed i3-wm under
> archlinux and there X11 runs without root privileges by default.
> 
> I assumed that it is the same under Debian because Debian is known
> for having relatively safe default values.
> It looks like i3 doesn't need x11 as root either.

i3-wm is a window manager, not a display manager. So it depends on
what display manager you're using (if any).

-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Re: X11 should not run as root or?

[therealcyclist]

Am Fri, Jun 02, 2023 at 08:22:27PM -0400 schrieb Greg Wooledge:
>
> I was thinking of these changes in Stretch:
> 
>  * For many Intel graphics chipsets, the Stretch X server will use the
>modeset driver instead of the intel driver. The modeset driver may
>require non-free firmware (firmware-misc-nonfree) to activate features,
>even on systems which did not use this firmware under Jessie.
> 
>  * For some older graphics chipsets, support has been relegated to
>"legacy drivers", which require the old setuid X server to run. Install
>xserver-xorg-legacy if you require one of these drivers.
> 
> Text from .  This may have nothing
> to do with your issue.  It's just the first thing I could think of that
> could possibly be related.
> 

At this point I have to ask: Is my problem reproducible?

I find it problematic that if you run startx (i3-wm) as user at tty xorg still 
run as root by default.

Re: X11 should not run as root or?

[Greg Wooledge]

On Sat, Jun 03, 2023 at 12:11:47AM +, therealcyclist wrote:
> Am Fri, Jun 02, 2023 at 07:52:03PM -0400 schrieb Greg Wooledge:
> > No "needs_root_rights" here, so I don't know why yours needs it.  Maybe
> > it's got something to do with driver selection?  If I recall correctly
> > from the days when this change was made, some cards that use legacy
> > drivers may need special configuration.
> 
> graphic driver is nvidia.
> secureboot is activated with mok (debian default key).
> 
> what makes you think it's different with e.g. amdgpu?

I was thinking of these changes in Stretch:

 * For many Intel graphics chipsets, the Stretch X server will use the
   modeset driver instead of the intel driver. The modeset driver may
   require non-free firmware (firmware-misc-nonfree) to activate features,
   even on systems which did not use this firmware under Jessie.

 * For some older graphics chipsets, support has been relegated to
   "legacy drivers", which require the old setuid X server to run. Install
   xserver-xorg-legacy if you require one of these drivers.

Text from .  This may have nothing
to do with your issue.  It's just the first thing I could think of that
could possibly be related.

Re: X11 should not run as root or?

[therealcyclist]

Am Fri, Jun 02, 2023 at 07:52:03PM -0400 schrieb Greg Wooledge:
> That's quite strange.  I have not installed bookworm, but I just upgraded
> to it.  I use startx as well (but with fvwm instead of i3-wm), and I'm not
> seeing this problem.  Xorg runs as me, just as it has done for the last
> few releases.
> 
> unicorn:~$ ps -ef | grep X
> greg10301007  0 May31 tty1 00:00:00 xinit 
> /etc/X11/xinit/xinitrc -- /etc/X11/xinit/xserverrc :0 vt1 -keeptty -auth 
> /tmp/serverauth.C7PjJM0pDW
> greg10321030  1 May31 tty1 00:45:52 /usr/lib/xorg/Xorg 
> -nolisten tcp :0 vt1 -keeptty -auth /tmp/serverauth.C7PjJM0pDW
> greg   549271160  0 19:46 pts/300:00:00 grep X
> unicorn:~$ grep -v ^# /etc/X11/Xwrapper.config 
> allowed_users=console
> 
> No "needs_root_rights" here, so I don't know why yours needs it.  Maybe
> it's got something to do with driver selection?  If I recall correctly
> from the days when this change was made, some cards that use legacy
> drivers may need special configuration.
> 

graphic driver is nvidia.
secureboot is activated with mok (debian default key).

what makes you think it's different with e.g. amdgpu?

Re: X11 should not run as root or?

[Greg Wooledge]

On Fri, Jun 02, 2023 at 04:32:38PM +, therealcyclist wrote:
> I tried the new Debian bookworm installer rc4 and i manually installed i3-wm.
> I started i3 from tty with startx command as user.
> to my surprise i found out that the xorg process is running as root.
> that can't be intentional, can it?
> 
> I have fixed the problem by adding the following line in 
> /etc/X11/Xwrapper.config 
> 
> needs_root_rights = no
> 
> After that xorg runs as user.

That's quite strange.  I have not installed bookworm, but I just upgraded
to it.  I use startx as well (but with fvwm instead of i3-wm), and I'm not
seeing this problem.  Xorg runs as me, just as it has done for the last
few releases.

unicorn:~$ ps -ef | grep X
greg10301007  0 May31 tty1 00:00:00 xinit 
/etc/X11/xinit/xinitrc -- /etc/X11/xinit/xserverrc :0 vt1 -keeptty -auth 
/tmp/serverauth.C7PjJM0pDW
greg10321030  1 May31 tty1 00:45:52 /usr/lib/xorg/Xorg 
-nolisten tcp :0 vt1 -keeptty -auth /tmp/serverauth.C7PjJM0pDW
greg   549271160  0 19:46 pts/300:00:00 grep X
unicorn:~$ grep -v ^# /etc/X11/Xwrapper.config 
allowed_users=console

No "needs_root_rights" here, so I don't know why yours needs it.  Maybe
it's got something to do with driver selection?  If I recall correctly
from the days when this change was made, some cards that use legacy
drivers may need special configuration.

Re: X11 should not run as root or?

[therealcyclist]

Am Fri, Jun 02, 2023 at 07:07:05PM +0200 schrieb Michel Verdier:
> Le 2 juin 2023 therealcyclist a écrit :
> 
> > I tried the new Debian bookworm installer rc4 and i manually installed 
> > i3-wm.
> > I started i3 from tty with startx command as user.
> > to my surprise i found out that the xorg process is running as root.
> > that can't be intentional, can it?
> 
> Maybe because some display managers want xorg as root
> https://wiki.archlinux.org/title/Xorg#Rootless_Xorg
> 

You linked to the Archlinux Wiki and I have installed i3-wm under archlinux and 
there X11 runs without root privileges by default.

I assumed that it is the same under Debian because Debian is known for having 
relatively safe default values.
It looks like i3 doesn't need x11 as root either.

Re: X11 should not run as root or?

[therealcyclist]

Am Fri, Jun 02, 2023 at 09:24:13PM +0200 schrieb Sven Joachim:
>
> That is rather strange.  The source of the wrapper program that decides
> whether Xorg needs root rights has not been touched for many years[1].
> 
> Cheers,
>Sven
> 
> 
> 1. 
> https://salsa.debian.org/xorg-team/xserver/xorg-server/-/commits/debian-unstable/hw/xfree86/xorg-wrapper.c
> 

Debian bookworm rc4 without gnome, just default system tools and after reboot i 
just run at tty:

sudo apt install i3-wm alacritty xinit xserver-xorg
echo "exec i3" > ~/.xinitrc
startx

and xorg running as root

Re: Re: X11 should not run as root or?

[therealcyclist]

You linked to the Archlinux Wiki and I have installed i3-wm under archlinux and 
there X11 runs without root privileges by default.

I assumed that it is the same under Debian because Debian is known for having 
relatively safe default values.
It looks like i3 doesn't need x11 as root either.

Re: X11 should not run as root or?

[Sven Joachim]

On 2023-06-02 16:32 +, therealcyclist wrote:

> I tried the new Debian bookworm installer rc4 and i manually installed i3-wm.
> I started i3 from tty with startx command as user.
> to my surprise i found out that the xorg process is running as root.
> that can't be intentional, can it?

As long as there is a working kernel driver for all your graphics cards,
this is not intended.

> I have fixed the problem by adding the following line in 
> /etc/X11/Xwrapper.config
>
> needs_root_rights = no
>
> After that xorg runs as user.

That is rather strange.  The source of the wrapper program that decides
whether Xorg needs root rights has not been touched for many years[1].

Cheers,
   Sven


1. 
https://salsa.debian.org/xorg-team/xserver/xorg-server/-/commits/debian-unstable/hw/xfree86/xorg-wrapper.c

Re: X11 should not run as root or?

[Michel Verdier]

Le 2 juin 2023 therealcyclist a écrit :

> I tried the new Debian bookworm installer rc4 and i manually installed i3-wm.
> I started i3 from tty with startx command as user.
> to my surprise i found out that the xorg process is running as root.
> that can't be intentional, can it?

Maybe because some display managers want xorg as root
https://wiki.archlinux.org/title/Xorg#Rootless_Xorg

X11 should not run as root or?

[therealcyclist]

I tried the new Debian bookworm installer rc4 and i manually installed i3-wm.
I started i3 from tty with startx command as user.
to my surprise i found out that the xorg process is running as root.
that can't be intentional, can it?

I have fixed the problem by adding the following line in 
/etc/X11/Xwrapper.config 

needs_root_rights = no

After that xorg runs as user.