Re: Should /usr/bin/Xorg (still) be setuid-root?
Hi, On 01/09/2014 09:52 PM, Andrew Lutomirski wrote: On Thu, Jan 9, 2014 at 11:43 AM, Hans de Goede hdego...@redhat.com wrote: Hi, On 01/09/2014 12:09 AM, Andrew Lutomirski wrote: On Wed, Jan 8, 2014 at 2:58 PM, Peter Hutterer peter.hutte...@who-t.net wrote: On Wed, Jan 08, 2014 at 01:14:08PM -0800, Andrew Lutomirski wrote: /usr/bin/Xorg is, and has been, setuid-root just about forever. I'm wondering whether there's any good reason for it to remain setuid-root. http://fedoraproject.org/wiki/Changes/XorgWithoutRootRights This isn't actually the same thing. That proposal suggests running Xorg as a non-root user. I'm proposing dropping the setuid bit on the binary, which will have no effect on the uid of the running server. (Of course, my suggestion will interact w/ that change, since the process that starts Xorg will no longer be root.) I don't think that that will be very useful, it will likely cause more breakage then you think, as various display-managers may already start Xorg inside the user session, at which point the suid bit is needed, and as you already said it will break xinit and friends. This is an empirical question :) gdm on F20, at least, can still switch users with the setuid bit cleared. I'll try to test some more display managers. Well starting X inside the user session is necessary for the systemd-logind integration I'm working on, which in turn is necessary to be able to completely run X without any root rights at all. So this quite likely is going to be how X will be started in F-21. I hope it clears the bit -- I really don't like the fact that 'X :1' screws with the display. I'm not sure yet if it will clear the bit, I'm pretty sure I can get things to work without any root rights for kms drivers (not 100% sure yet), but ums drivers will fail hard without the suid bit, the ums part of this needs some thinking (and needs me to dig up a card actually using it). I might end up deciding to just kill ums support and then see what happens, but I would rather not, and if I get enough pushback I might revert on such a decision :) Regards, Hans -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Should /usr/bin/Xorg (still) be setuid-root?
On Fri, Jan 10, 2014 at 11:44 AM, Hans de Goede hdego...@redhat.com wrote: Hi, On 01/09/2014 09:52 PM, Andrew Lutomirski wrote: On Thu, Jan 9, 2014 at 11:43 AM, Hans de Goede hdego...@redhat.com wrote: Hi, On 01/09/2014 12:09 AM, Andrew Lutomirski wrote: On Wed, Jan 8, 2014 at 2:58 PM, Peter Hutterer peter.hutte...@who-t.net wrote: On Wed, Jan 08, 2014 at 01:14:08PM -0800, Andrew Lutomirski wrote: /usr/bin/Xorg is, and has been, setuid-root just about forever. I'm wondering whether there's any good reason for it to remain setuid-root. http://fedoraproject.org/wiki/Changes/XorgWithoutRootRights This isn't actually the same thing. That proposal suggests running Xorg as a non-root user. I'm proposing dropping the setuid bit on the binary, which will have no effect on the uid of the running server. (Of course, my suggestion will interact w/ that change, since the process that starts Xorg will no longer be root.) I don't think that that will be very useful, it will likely cause more breakage then you think, as various display-managers may already start Xorg inside the user session, at which point the suid bit is needed, and as you already said it will break xinit and friends. This is an empirical question :) gdm on F20, at least, can still switch users with the setuid bit cleared. I'll try to test some more display managers. Well starting X inside the user session is necessary for the systemd-logind integration I'm working on, which in turn is necessary to be able to completely run X without any root rights at all. So this quite likely is going to be how X will be started in F-21. I hope it clears the bit -- I really don't like the fact that 'X :1' screws with the display. I'm not sure yet if it will clear the bit, I'm pretty sure I can get things to work without any root rights for kms drivers (not 100% sure yet), but ums drivers will fail hard without the suid bit, the ums part of this needs some thinking (and needs me to dig up a card actually using it). I might end up deciding to just kill ums support and then see what happens, but I would rather not, and if I get enough pushback I might revert on such a decision :) Once you add logind integration, there's another way -- write a tiny setuid wrapper (or use some existing polkit mechanism) to allow users in a console session to start Xorg as euid==0. That wrapper could even be called /usr/bin/Xorg :). Presumably something like this (or just real nonroot X support) will be needed for sane multi-seat support anyway. IOW, I don't think that Xorg needs to be any more special than, say, udisks. --Andy -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Should /usr/bin/Xorg (still) be setuid-root?
Hi, On 01/09/2014 12:09 AM, Andrew Lutomirski wrote: On Wed, Jan 8, 2014 at 2:58 PM, Peter Hutterer peter.hutte...@who-t.net wrote: On Wed, Jan 08, 2014 at 01:14:08PM -0800, Andrew Lutomirski wrote: /usr/bin/Xorg is, and has been, setuid-root just about forever. I'm wondering whether there's any good reason for it to remain setuid-root. http://fedoraproject.org/wiki/Changes/XorgWithoutRootRights This isn't actually the same thing. That proposal suggests running Xorg as a non-root user. I'm proposing dropping the setuid bit on the binary, which will have no effect on the uid of the running server. (Of course, my suggestion will interact w/ that change, since the process that starts Xorg will no longer be root.) I don't think that that will be very useful, it will likely cause more breakage then you think, as various display-managers may already start Xorg inside the user session, at which point the suid bit is needed, and as you already said it will break xinit and friends. Besides that almost every Fedora system already has a copy of the X server running as root ready to be exploited. The attack service of X is not its cmdline or attacks through environment settings (2 vectors your suggestion would close), but rather the gargantuan API it exposes over the X protocol itself. It may be that XorgWithoutRootRights will clear the setuid bit as well, though. Hopefully, either clear it completely or drop root rights very early on on startup. Regards, Hans -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Should /usr/bin/Xorg (still) be setuid-root?
On Thu, Jan 9, 2014 at 11:43 AM, Hans de Goede hdego...@redhat.com wrote: Hi, On 01/09/2014 12:09 AM, Andrew Lutomirski wrote: On Wed, Jan 8, 2014 at 2:58 PM, Peter Hutterer peter.hutte...@who-t.net wrote: On Wed, Jan 08, 2014 at 01:14:08PM -0800, Andrew Lutomirski wrote: /usr/bin/Xorg is, and has been, setuid-root just about forever. I'm wondering whether there's any good reason for it to remain setuid-root. http://fedoraproject.org/wiki/Changes/XorgWithoutRootRights This isn't actually the same thing. That proposal suggests running Xorg as a non-root user. I'm proposing dropping the setuid bit on the binary, which will have no effect on the uid of the running server. (Of course, my suggestion will interact w/ that change, since the process that starts Xorg will no longer be root.) I don't think that that will be very useful, it will likely cause more breakage then you think, as various display-managers may already start Xorg inside the user session, at which point the suid bit is needed, and as you already said it will break xinit and friends. This is an empirical question :) gdm on F20, at least, can still switch users with the setuid bit cleared. I'll try to test some more display managers. Besides that almost every Fedora system already has a copy of the X server running as root ready to be exploited. The attack service of X is not its cmdline or attacks through environment settings (2 vectors your suggestion would close), but rather the gargantuan API it exposes over the X protocol itself. There's currently a big attack surface if I run some daemon that gets remotely pwned -- the attacker could start a brand new X server and try to exploit it. On the other hand, they'd have a much more limited attack surface against the already running daemon, because they'll have trouble getting past the X authentication checks. It may be that XorgWithoutRootRights will clear the setuid bit as well, though. Hopefully, either clear it completely or drop root rights very early on on startup. I hope it clears the bit -- I really don't like the fact that 'X :1' screws with the display. --Andy -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Should /usr/bin/Xorg (still) be setuid-root?
On Thu, Jan 09, 2014 at 12:52:46PM -0800, Andrew Lutomirski wrote: On Thu, Jan 9, 2014 at 11:43 AM, Hans de Goede hdego...@redhat.com wrote: Hi, On 01/09/2014 12:09 AM, Andrew Lutomirski wrote: On Wed, Jan 8, 2014 at 2:58 PM, Peter Hutterer peter.hutte...@who-t.net wrote: On Wed, Jan 08, 2014 at 01:14:08PM -0800, Andrew Lutomirski wrote: /usr/bin/Xorg is, and has been, setuid-root just about forever. I'm wondering whether there's any good reason for it to remain setuid-root. http://fedoraproject.org/wiki/Changes/XorgWithoutRootRights This isn't actually the same thing. That proposal suggests running Xorg as a non-root user. I'm proposing dropping the setuid bit on the binary, which will have no effect on the uid of the running server. (Of course, my suggestion will interact w/ that change, since the process that starts Xorg will no longer be root.) I don't think that that will be very useful, it will likely cause more breakage then you think, as various display-managers may already start Xorg inside the user session, at which point the suid bit is needed, and as you already said it will break xinit and friends. This is an empirical question :) gdm on F20, at least, can still switch users with the setuid bit cleared. I'll try to test some more display managers. Besides that almost every Fedora system already has a copy of the X server running as root ready to be exploited. The attack service of X is not its cmdline or attacks through environment settings (2 vectors your suggestion would close), but rather the gargantuan API it exposes over the X protocol itself. There's currently a big attack surface if I run some daemon that gets remotely pwned -- the attacker could start a brand new X server and try to exploit it. On the other hand, they'd have a much more limited attack surface against the already running daemon, because they'll have trouble getting past the X authentication checks. It may be that XorgWithoutRootRights will clear the setuid bit as well, though. Hopefully, either clear it completely or drop root rights very early on on startup. I hope it clears the bit -- I really don't like the fact that 'X :1' screws with the display. You understand that this isn't as much screwing with the display as being a base functionality of the x server? It's a bit like saying starting apache screws with your port 80 when you start it. Cheers, Peter -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Should /usr/bin/Xorg (still) be setuid-root?
On Thu, Jan 9, 2014 at 4:27 PM, Peter Hutterer peter.hutte...@who-t.net wrote: On Thu, Jan 09, 2014 at 12:52:46PM -0800, Andrew Lutomirski wrote: On Thu, Jan 9, 2014 at 11:43 AM, Hans de Goede hdego...@redhat.com wrote: Hi, On 01/09/2014 12:09 AM, Andrew Lutomirski wrote: On Wed, Jan 8, 2014 at 2:58 PM, Peter Hutterer peter.hutte...@who-t.net wrote: On Wed, Jan 08, 2014 at 01:14:08PM -0800, Andrew Lutomirski wrote: /usr/bin/Xorg is, and has been, setuid-root just about forever. I'm wondering whether there's any good reason for it to remain setuid-root. http://fedoraproject.org/wiki/Changes/XorgWithoutRootRights This isn't actually the same thing. That proposal suggests running Xorg as a non-root user. I'm proposing dropping the setuid bit on the binary, which will have no effect on the uid of the running server. (Of course, my suggestion will interact w/ that change, since the process that starts Xorg will no longer be root.) I don't think that that will be very useful, it will likely cause more breakage then you think, as various display-managers may already start Xorg inside the user session, at which point the suid bit is needed, and as you already said it will break xinit and friends. This is an empirical question :) gdm on F20, at least, can still switch users with the setuid bit cleared. I'll try to test some more display managers. Besides that almost every Fedora system already has a copy of the X server running as root ready to be exploited. The attack service of X is not its cmdline or attacks through environment settings (2 vectors your suggestion would close), but rather the gargantuan API it exposes over the X protocol itself. There's currently a big attack surface if I run some daemon that gets remotely pwned -- the attacker could start a brand new X server and try to exploit it. On the other hand, they'd have a much more limited attack surface against the already running daemon, because they'll have trouble getting past the X authentication checks. It may be that XorgWithoutRootRights will clear the setuid bit as well, though. Hopefully, either clear it completely or drop root rights very early on on startup. I hope it clears the bit -- I really don't like the fact that 'X :1' screws with the display. You understand that this isn't as much screwing with the display as being a base functionality of the x server? It's a bit like saying starting apache screws with your port 80 when you start it. Except that apache doesn't screw with your port 80 if you try to start it as nonroot :) In a similar vein, chvt doesn't work unless you're root. I don't see why X should be special, other than for rather old historical reasons. I'm pretty sure that the last time I tried to use 'startx' was when I sat down directly in front of the SPARCstation because other people were using all X terminals. Even then, most of the time I'd be sitting at the X terminal with a xterm and nothing else, and I'd just run an mwm session instead of running a whole X server. Of course, back then my password was sent over the network as clear text every time I typed it. No one needed to pwn an X server -- you could get anyone's password by leaving a fake getty running on the modem pool. It would be possible to arrange for running Xorg to still work if you're in a new xorg group. --Andy -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Should /usr/bin/Xorg (still) be setuid-root?
/usr/bin/Xorg is, and has been, setuid-root just about forever. I'm wondering whether there's any good reason for it to remain setuid-root. Some arguments for setuid-root: - People who still use startx or similar scripts need it. - It's vaguely useful for testing xorg.conf changes. Some arguments for clearing the setuid-root bit: - People who use display managers (i.e. almost everyone) doesn't need it to be setuid-root. - Xorg is a giant attack surface. Without setuid-root, only users sitting in front of the keyboard can try to attack it. I suspect that most people would notice the difference if xorg-x11-server-Xorg got rid of the setuid-root bit. Another option would be to only let users in a new xorg group run Xorg and to keep it setuid-root. Thoughts? If people are generally in favor, I'll submit a change proposal. Despite the fact that the change would be a one-liner, it seems like a systemwide change. (On a related note: what's the F21 change proposal submission deadline? I can't find it anywhere.) --Andy -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Should /usr/bin/Xorg (still) be setuid-root?
On Wed, Jan 08, 2014 at 01:14:08PM -0800, Andrew Lutomirski wrote: /usr/bin/Xorg is, and has been, setuid-root just about forever. I'm wondering whether there's any good reason for it to remain setuid-root. http://fedoraproject.org/wiki/Changes/XorgWithoutRootRights Cheers, Peter Some arguments for setuid-root: - People who still use startx or similar scripts need it. - It's vaguely useful for testing xorg.conf changes. Some arguments for clearing the setuid-root bit: - People who use display managers (i.e. almost everyone) doesn't need it to be setuid-root. - Xorg is a giant attack surface. Without setuid-root, only users sitting in front of the keyboard can try to attack it. I suspect that most people would notice the difference if xorg-x11-server-Xorg got rid of the setuid-root bit. Another option would be to only let users in a new xorg group run Xorg and to keep it setuid-root. Thoughts? If people are generally in favor, I'll submit a change proposal. Despite the fact that the change would be a one-liner, it seems like a systemwide change. (On a related note: what's the F21 change proposal submission deadline? I can't find it anywhere.) --Andy -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Should /usr/bin/Xorg (still) be setuid-root?
On Wed, Jan 8, 2014 at 2:58 PM, Peter Hutterer peter.hutte...@who-t.net wrote: On Wed, Jan 08, 2014 at 01:14:08PM -0800, Andrew Lutomirski wrote: /usr/bin/Xorg is, and has been, setuid-root just about forever. I'm wondering whether there's any good reason for it to remain setuid-root. http://fedoraproject.org/wiki/Changes/XorgWithoutRootRights This isn't actually the same thing. That proposal suggests running Xorg as a non-root user. I'm proposing dropping the setuid bit on the binary, which will have no effect on the uid of the running server. (Of course, my suggestion will interact w/ that change, since the process that starts Xorg will no longer be root.) It may be that XorgWithoutRootRights will clear the setuid bit as well, though. --Andy -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Should /usr/bin/Xorg (still) be setuid-root?
I could have sworn there was a more recent discussion of this, but there is at least this thread from 2009: https://lists.fedoraproject.org/pipermail/devel/2009-August/036086.html Also: http://lwn.net/Articles/546537/ (discussion about the last revoke() discussion on linux-kernel). kevin signature.asc Description: PGP signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Should /usr/bin/Xorg (still) be setuid-root?
On Wed, Jan 8, 2014 at 3:18 PM, Kevin Fenzi ke...@scrye.com wrote: I could have sworn there was a more recent discussion of this, but there is at least this thread from 2009: https://lists.fedoraproject.org/pipermail/devel/2009-August/036086.html Also: http://lwn.net/Articles/546537/ (discussion about the last revoke() discussion on linux-kernel). *sigh*. I'm obviously being unclear. I am *not* proposing anything related to what uid the X server runs under. I'm proposing that, when a nonroot user types Xorg at the terminal, they don't cause a root-privileged X server to appear. Since I doubt that many people run Xorg directly (unless they're up to no good), this should have no observable effect. --Andy -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Should /usr/bin/Xorg (still) be setuid-root?
On Wed, Jan 08, 2014 at 01:14:08PM -0800, Andrew Lutomirski wrote: /usr/bin/Xorg is, and has been, setuid-root just about forever. I'm wondering whether there's any good reason for it to remain setuid-root. [...] - Xorg is a giant attack surface. Without setuid-root, only users sitting in front of the keyboard can try to attack it. Like, for example: http://lists.x.org/archives/xorg-announce/2014-January/002389.html https://bugzilla.redhat.com/show_bug.cgi?id=1049569 Perhaps this is what got you thinking about this? Thoughts? If people are generally in favor, I'll submit a change proposal. Despite the fact that the change would be a one-liner, it seems like a systemwide change. (On a related note: what's the F21 change proposal submission deadline? I can't find it anywhere.) No deadline yet -- go for it. You might also want to check into http://fedoraproject.org/wiki/Features/RemoveSETUID, which was a partially-successful effort to use capabilities instead of setuid across the system. (See for example /usr/bin/ping.) However, that was about reducing from full setuid to what is effectively partial setuid (and see the discussion; it's only really meaningful in some cases). Removing the setuid bit entirely is new, as far as I know. -- Matthew Miller-- Fedora Project--mat...@fedoraproject.org -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Should /usr/bin/Xorg (still) be setuid-root?
On Wed, Jan 8, 2014 at 5:45 PM, Matthew Miller mat...@fedoraproject.org wrote: On Wed, Jan 08, 2014 at 01:14:08PM -0800, Andrew Lutomirski wrote: /usr/bin/Xorg is, and has been, setuid-root just about forever. I'm wondering whether there's any good reason for it to remain setuid-root. [...] - Xorg is a giant attack surface. Without setuid-root, only users sitting in front of the keyboard can try to attack it. Like, for example: http://lists.x.org/archives/xorg-announce/2014-January/002389.html https://bugzilla.redhat.com/show_bug.cgi?id=1049569 Perhaps this is what got you thinking about this? Thoughts? If people are generally in favor, I'll submit a change proposal. Despite the fact that the change would be a one-liner, it seems like a systemwide change. (On a related note: what's the F21 change proposal submission deadline? I can't find it anywhere.) No deadline yet -- go for it. You might also want to check into http://fedoraproject.org/wiki/Features/RemoveSETUID, which was a partially-successful effort to use capabilities instead of setuid across the system. (See for example /usr/bin/ping.) However, that was about reducing from full setuid to what is effectively partial setuid (and see the discussion; it's only really meaningful in some cases). Removing the setuid bit entirely is new, as far as I know. Here it is: https://fedoraproject.org/wiki/Changes/NonSetuidXorg For amusement, try ssh-ing into a Fedora box that's sitting at the gdm prompt and type 'X :1'. IMO screwing with the box like that should require some kind of privilege for users who aren't in front of the keyboard. --Andy -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
