Source: sddm Severity: wishlist Hi, starting with stretch xorg-server has been fixed to allow to run X as an unprivileged user. This currently works fine for sessions initiated by GDM3 and for anyone starting X11 through startx.
SDDM however still initiates the session with X11 running as root. For the buster release ideally we should fix all the remaining login managers to use unprivileged X11; this would essentially neutralise the majority of all vulnerabilities in Xorg (since all those vulnerabilties which currently allow privilege escalation root would no longer cross trust boundaries). This has been reported upstream at https://github.com/sddm/sddm/issues/246 and there's an older pull request at https://github.com/sddm/sddm/pull/673 as well (but it hasn't seen recent activity). Cheers, Moritz