200621 Matt Turner wrote:
> On Sun, Jun 21, 2020 at 4:53 PM Philip Webb <purs...@ca.inter.net> wrote:
>> I've been running xorg-server as root for  > 16 yr  without any problems.
>> AFAIK there are no problems re exploits via I/net browsers,
>> which are started by my user as all such user software always is.
>> What might go wrong, if I continue to 'startx'
>> with 'xorg-server' merged with 'suid -elogind'
>> & without the '.xinitrc' line show above in the Wiki ?
> For the majority of users -- those that use a graphics driver
> with kernel modesetting support -- , X only needs root access
> for a small set of things : accessing the DRM device node,
> accessing the input device nodes and some stuff around VTs.
> The rest of the time, X doesn't need root access.
> With elogind, those bits are handled in a small daemon
> and X no longer needs to run as root.  Most people find that valuable,
> especially with the knowledge that there have been
> a number of security vulnerabilities that would allow arbitrary code
> execution in the xserver over the years [1].

The latest of those was announced in 2018
& all of them seem to involve privilege escalation by local users ;
those marked 'remote' all seem to be via off-site logins.
There doesn't appear ever to have been a genuine remote threat,
so single-user systems have never been threatened by xorg-server as root.

> [1] 
> https://www.cvedetails.com/vulnerability-list/vendor_id-88/product_id-8600/X.org-Xorg-server.html

So i ask again : Why is running 'xorg-server' as root "heavily discouraged" ?

There was a similar issue a few years ago,
when the game Nethack was threatened with removal from Gentoo
due to a security problem which affected only multi-user systems.
Is there any difference in this case of xorg-server ?

SUPPORT     ___________//___,   Philip Webb
ELECTRIC   /] [] [] [] [] []|   Cities Centre, University of Toronto
TRANSIT    `-O----------O---'   purslowatcadotinterdotnet

Reply via email to