subject:"\[PATCH weston\] launcher\: don't exit when user is not root"

Re: [PATCH weston] launcher: don't exit when user is not root

2017-10-31 Thread Christian Stroetmann


On the 30th of October 2017 16:02, Pekka Paalanen wrote:

On Mon, 30 Oct 2017 15:20:42 +0100
Emre Ucan  wrote:


weston does not need to be root.
It requires adjusting ownership on the given tty device.

If weston does not have proper rights, it will get
an error at startup anyway.

Signed-off-by: Emre Ucan
---
  libweston/launcher-direct.c | 3 ---
  1 file changed, 3 deletions(-)

diff --git a/libweston/launcher-direct.c b/libweston/launcher-direct.c
index a5d3ee5..b05d214 100644
--- a/libweston/launcher-direct.c
+++ b/libweston/launcher-direct.c
@@ -276,9 +276,6 @@ launcher_direct_connect(struct weston_launcher **out, 
struct weston_compositor *
  {
struct launcher_direct *launcher;

-   if (geteuid() != 0)
-   return -EINVAL;
-
launcher = zalloc(sizeof(*launcher));
if (launcher == NULL)
return -ENOMEM;

NAK, for the reasons explained in
https://lists.freedesktop.org/archives/wayland-devel/2017-October/035582.html

To summarize, it's not only tty permissions but DRM and input devices
as well. If you set all these so that weston can actually run without
root using the direct launcher, then quite likely you have opened some
security holes.

The direct launcher is specifically meant for running weston as root.
Running as root is only for debugging and development, never for
production.


Thanks,
pq



Hello everybody

Personally, I do prefer the way Pekka handles the matter and applying a 
little more advanced software engineering is not a bad choice.
But sadly to say and without any offence, for sure, reality and life is 
very different and diversified when compared with our desires.



Indeed, there are pros and cons for both sides:

In general, Weston must be as flexible as possible for being accepted by 
everybody eventually.


Furthermore, an embedded system has always been and still is a special 
case where everything goes, so to say. In this respect, it is very hard 
or even impossible to convince a developer of an embedded system to 
carry the unnneeded code along, specifically in the case that somebody 
does not need any safety, security, and reliability properties, or/and 
exactly knows what she/he is doing and hence is willing to take any 
risks, as said by the embedded system developers in this thread.
Therefore, using Weston in a root debug or special embedded system way 
should not be excluded as somekind of a common option.


This leads to various potential compromises, such as for example:
(a) a custom-made configuration of a development tool (e.g. CASE tool) 
excludes the unneeded part of the safe, secure, and reliable Weston code 
for an individual architecture, framework, or project,
(b) a compiler flag and a related message that shows a clear warning 
that the result of the compilation is not included in the safe, secure, 
and reliable Weston environment anymore, or
(c) an own subproject of Weston with an own chapter in the documentation 
for the root debug development option and the special embedded system 
"use case", that
- could be titled "Weston Root Debug (Weston RD)" or "Weston Bare Metal 
(Weston BM)" for example, and
- explains the differences between the proper Weston and the special 
Weston variants and also gives a clear warning about the potential 
safety, security, and reliability issues.




Best Regards
Christian Stroetmann




___
wayland-devel mailing list
wayland-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/wayland-devel

Re: [PATCH weston] launcher: don't exit when user is not root

2017-10-31 Thread Emil Velikov

On 31 October 2017 at 16:42, Michal Suchanek  wrote:

>>> Ever heard of rootless X?
>>
>> Yes. I believe it uses logind now.
>
> The documentation says otherwise.
>
See xserver commit e7b84ca46944895971a8f048c7e34869b7de01c0 and the
other work by Hans in the area.
I'm suspecting the documentation is out of date.

-Emil
___
wayland-devel mailing list
wayland-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/wayland-devel

Re: [PATCH weston] launcher: don't exit when user is not root

2017-10-31 Thread Michal Suchanek

On 31 October 2017 at 08:49, Pekka Paalanen  wrote:
> On Mon, 30 Oct 2017 18:56:02 +0100
> Michal Suchanek  wrote:
>
>> On 30 October 2017 at 16:02, Pekka Paalanen  wrote:
>> > On Mon, 30 Oct 2017 15:20:42 +0100
>> > Emre Ucan  wrote:
>> >
>> >> weston does not need to be root.
>> >> It requires adjusting ownership on the given tty device.
>> >>
>> >> If weston does not have proper rights, it will get
>> >> an error at startup anyway.
>> >>
>> >> Signed-off-by: Emre Ucan 
>> >> ---
>> >>  libweston/launcher-direct.c | 3 ---
>> >>  1 file changed, 3 deletions(-)
>> >>
>> >> diff --git a/libweston/launcher-direct.c b/libweston/launcher-direct.c
>> >> index a5d3ee5..b05d214 100644
>> >> --- a/libweston/launcher-direct.c
>> >> +++ b/libweston/launcher-direct.c
>> >> @@ -276,9 +276,6 @@ launcher_direct_connect(struct weston_launcher **out, 
>> >> struct weston_compositor *
>> >>  {
>> >>   struct launcher_direct *launcher;
>> >>
>> >> - if (geteuid() != 0)
>> >> - return -EINVAL;
>> >> -
>> >>   launcher = zalloc(sizeof(*launcher));
>> >>   if (launcher == NULL)
>> >>   return -ENOMEM;
>> >
>> > NAK, for the reasons explained in
>> > https://lists.freedesktop.org/archives/wayland-devel/2017-October/035582.html
>> >
>> > To summarize, it's not only tty permissions but DRM and input devices
>> > as well.
>>
>> DRM and input is supposed to be accessible by console user on desktop 
>> systems.
>
> Hi Michal,
>
> thanks for your concern, but I believe the world has moved on. We have
> a much better model with an agent like logind now.

Why is the model better?

In the end the agent relies on permissions as well.

On systems with multiple users it makes sense to automate the task of
setting up the user permissions with an agent.

However, on an embedded system setting the permissions statically in
an installation image may make more sense. Then you have one less
thing to audit for security - namely the agent which you do not use.

>
> That old approach had the inherent security issues which I assume have
> discouraged its use and encouraged looking for better alternatives.
>
>> Ever heard of rootless X?
>
> Yes. I believe it uses logind now.

The documentation says otherwise.

>
>> Any user on the console should be able to randomly decide to run a GUI
>> server without any special privileges.
>
> Presuming yes, then that is what logind or another agent like
> weston-launch allows. They also make it harder for you to shoot
> yourself in the foot by e.g. running two display servers on the same
> devices simultaneously.

Which is what tracking service units is for as well - it should run
the server only once.

>
>> This can be set up by logind or it can be hardcoded by the
>> administrator to a particular user. Whatever the case just running the
>> GUI server should work without issues when permissions are set up
>> correctly.
>
> It can be done by setting up user permissions. That does not mean it is
> the best available solution.

It can be done by logind or weston-launch. It does not mean it is the
best solution.

>
>> > If you set all these so that weston can actually run without
>> > root using the direct launcher, then quite likely you have opened some
>> > security holes.
>> >
>> > The direct launcher is specifically meant for running weston as root.
>> > Running as root is only for debugging and development, never for
>> > production.
>>
>> If you can run it as root you can run it as any user with sufficient
>> permissions.
>>
>> The security implications of different setups should be the concern of
>> the system administrator and not launcher-direct.
>
> I will still refuse to take in code that promotes bad practices where I
> see it. Enforcement in code is always more powerful than documentation
> saying one should not do this.

And what exactly is the bad practice here?

Accessing devices that you have permission to access granted by the
system administrator but which are not set up as accessible to you by
policykit?

If you should not have access to some devices then the system
administrator should revoke your permissions. weston is a display
server. It is not a security audit software. So it has no business
auditing your security setup.

Thanks

Michal
___
wayland-devel mailing list
wayland-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/wayland-devel

Re: [PATCH weston] launcher: don't exit when user is not root

2017-10-31 Thread Pekka Paalanen

On Tue, 31 Oct 2017 09:29:11 +0200
Pekka Paalanen  wrote:

> On Mon, 30 Oct 2017 15:29:58 +
> "Ucan, Emre (ADITG/ESB)"  wrote:
> 

> > IMO, it is much explanatory to get an error like "Cannot open drm
> > device" than "weston cannot run as non-root user".  
> 
> That's true. The actual error messages you get when no launcher
> succeeds are:
> 
> "fatal: drm backend should be run using weston-launch binary or as root"
> "fatal: fbdev backend should be run using weston-launch binary or as root"
> 
> I would be quite happy to improve those error messages to be more
> helpful. I believe they were written before logind support existed.

Hi,

I'm actually writing a patch to improve these error messages myself.


Thanks,
pq


pgpaHzU_tDYuA.pgp
Description: OpenPGP digital signature
___
wayland-devel mailing list
wayland-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/wayland-devel

Re: [PATCH weston] launcher: don't exit when user is not root

2017-10-31 Thread Pekka Paalanen

On Mon, 30 Oct 2017 18:56:02 +0100
Michal Suchanek  wrote:

> On 30 October 2017 at 16:02, Pekka Paalanen  wrote:
> > On Mon, 30 Oct 2017 15:20:42 +0100
> > Emre Ucan  wrote:
> >  
> >> weston does not need to be root.
> >> It requires adjusting ownership on the given tty device.
> >>
> >> If weston does not have proper rights, it will get
> >> an error at startup anyway.
> >>
> >> Signed-off-by: Emre Ucan 
> >> ---
> >>  libweston/launcher-direct.c | 3 ---
> >>  1 file changed, 3 deletions(-)
> >>
> >> diff --git a/libweston/launcher-direct.c b/libweston/launcher-direct.c
> >> index a5d3ee5..b05d214 100644
> >> --- a/libweston/launcher-direct.c
> >> +++ b/libweston/launcher-direct.c
> >> @@ -276,9 +276,6 @@ launcher_direct_connect(struct weston_launcher **out, 
> >> struct weston_compositor *
> >>  {
> >>   struct launcher_direct *launcher;
> >>
> >> - if (geteuid() != 0)
> >> - return -EINVAL;
> >> -
> >>   launcher = zalloc(sizeof(*launcher));
> >>   if (launcher == NULL)
> >>   return -ENOMEM;  
> >
> > NAK, for the reasons explained in
> > https://lists.freedesktop.org/archives/wayland-devel/2017-October/035582.html
> >
> > To summarize, it's not only tty permissions but DRM and input devices
> > as well.  
> 
> DRM and input is supposed to be accessible by console user on desktop systems.

Hi Michal,

thanks for your concern, but I believe the world has moved on. We have
a much better model with an agent like logind now.

That old approach had the inherent security issues which I assume have
discouraged its use and encouraged looking for better alternatives.

> Ever heard of rootless X?

Yes. I believe it uses logind now.

> Any user on the console should be able to randomly decide to run a GUI
> server without any special privileges.

Presuming yes, then that is what logind or another agent like
weston-launch allows. They also make it harder for you to shoot
yourself in the foot by e.g. running two display servers on the same
devices simultaneously.

> This can be set up by logind or it can be hardcoded by the
> administrator to a particular user. Whatever the case just running the
> GUI server should work without issues when permissions are set up
> correctly.

It can be done by setting up user permissions. That does not mean it is
the best available solution.

> > If you set all these so that weston can actually run without
> > root using the direct launcher, then quite likely you have opened some
> > security holes.
> >
> > The direct launcher is specifically meant for running weston as root.
> > Running as root is only for debugging and development, never for
> > production.  
> 
> If you can run it as root you can run it as any user with sufficient
> permissions.
> 
> The security implications of different setups should be the concern of
> the system administrator and not launcher-direct.

I will still refuse to take in code that promotes bad practices where I
see it. Enforcement in code is always more powerful than documentation
saying one should not do this.


Thanks,
pq


pgpgQdKOzftGU.pgp
Description: OpenPGP digital signature
___
wayland-devel mailing list
wayland-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/wayland-devel

Re: [PATCH weston] launcher: don't exit when user is not root

2017-10-31 Thread Pekka Paalanen

On Mon, 30 Oct 2017 15:29:58 +
"Ucan, Emre (ADITG/ESB)" <eu...@de.adit-jv.com> wrote:

> Hi Pekka,
> 
> We are of course running graphical applications as a different user
> than weston user. Therefore, the security flaws, which you mentioned,
> are not applicable.

Yes. That is exactly what I meant that even if you somehow managed to
make it safe, it does not make it any more appropriate to give the
weston user these permissions directly.

> Correct me if I am wrong, but weston-launch and logind are using
> setuid(), which itself is a major security problem. Furthermore, IMO
> logind is not needed in an embedded system. The fancy tty and input
> handling for a multi-user environment is not needed in an embedded
> system.

They are setuid or equivalent, yes. They have been inteded to be that
from the very beginning, so their design should account for it.

logind is not just for multi-user, it is also for priviledge separation
- exactly the thing you have reinvented yourself with user accounts,
except your solution does not generalize, and no-one else uses,
develops, or audits it. No-one *could* even use it aside from using
your distribution, because it relies on user accounts setup and file
permissions rather than any particular piece of software.

Recovering from a Weston crash is another example where using an agent
is a good thing. Weston does have a SIGABRT/SIGSEGV handler that
attempts to restore the VT before raising SIGTRAP for debuggers, but
it's obviously not reliable.

> I do not understand why you are against this patch. The patch is only
> removing an unnecessary restriction of running weston directly. This
> patch is not setting any privileged rights to any non-root user :).
> Users of weston would still get errors if they do not set the rights
> accordingly.

This patch is promoting bad practice. Therefore I am against it.

> IMO, it is much explanatory to get an error like "Cannot open drm
> device" than "weston cannot run as non-root user".

That's true. The actual error messages you get when no launcher
succeeds are:

"fatal: drm backend should be run using weston-launch binary or as root"
"fatal: fbdev backend should be run using weston-launch binary or as root"

I would be quite happy to improve those error messages to be more
helpful. I believe they were written before logind support existed.

None of this still changes the fact that launcher-direct has been
written for root use only, as a debugging aid.


Thanks,
pq


> > -Original Message-
> > From: Pekka Paalanen [mailto:ppaala...@gmail.com]
> > Sent: Montag, 30. Oktober 2017 16:02
> > To: Ucan, Emre (ADITG/ESB)
> > Cc: wayland-devel@lists.freedesktop.org
> > Subject: Re: [PATCH weston] launcher: don't exit when user is not
> > root
> > 
> > On Mon, 30 Oct 2017 15:20:42 +0100
> > Emre Ucan <eu...@de.adit-jv.com> wrote:
> >   
> > > weston does not need to be root.
> > > It requires adjusting ownership on the given tty device.
> > >
> > > If weston does not have proper rights, it will get
> > > an error at startup anyway.
> > >
> > > Signed-off-by: Emre Ucan <eu...@de.adit-jv.com>
> > > ---
> > >  libweston/launcher-direct.c | 3 ---
> > >  1 file changed, 3 deletions(-)
> > >
> > > diff --git a/libweston/launcher-direct.c
> > > b/libweston/launcher-direct.c index a5d3ee5..b05d214 100644
> > > --- a/libweston/launcher-direct.c
> > > +++ b/libweston/launcher-direct.c
> > > @@ -276,9 +276,6 @@ launcher_direct_connect(struct
> > > weston_launcher  
> > **out, struct weston_compositor *  
> > >  {
> > >   struct launcher_direct *launcher;
> > >
> > > - if (geteuid() != 0)
> > > - return -EINVAL;
> > > -
> > >   launcher = zalloc(sizeof(*launcher));
> > >   if (launcher == NULL)
> > >   return -ENOMEM;  
> > 
> > NAK, for the reasons explained in
> > https://lists.freedesktop.org/archives/wayland-devel/2017-
> > October/035582.html
> > 
> > To summarize, it's not only tty permissions but DRM and input
> > devices as well. If you set all these so that weston can actually
> > run without root using the direct launcher, then quite likely you
> > have opened some security holes.
> > 
> > The direct launcher is specifically meant for running weston as
> > root. Running as root is only for debugging and development, never
> > for production.
> > 
> > 
> > Thanks,
> > pq  



pgpqQONmd3HQi.pgp
Description: OpenPGP digital signature
___
wayland-devel mailing list
wayland-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/wayland-devel

Re: [PATCH weston] launcher: don't exit when user is not root

2017-10-30 Thread Michal Suchanek

On 30 October 2017 at 16:02, Pekka Paalanen  wrote:
> On Mon, 30 Oct 2017 15:20:42 +0100
> Emre Ucan  wrote:
>
>> weston does not need to be root.
>> It requires adjusting ownership on the given tty device.
>>
>> If weston does not have proper rights, it will get
>> an error at startup anyway.
>>
>> Signed-off-by: Emre Ucan 
>> ---
>>  libweston/launcher-direct.c | 3 ---
>>  1 file changed, 3 deletions(-)
>>
>> diff --git a/libweston/launcher-direct.c b/libweston/launcher-direct.c
>> index a5d3ee5..b05d214 100644
>> --- a/libweston/launcher-direct.c
>> +++ b/libweston/launcher-direct.c
>> @@ -276,9 +276,6 @@ launcher_direct_connect(struct weston_launcher **out, 
>> struct weston_compositor *
>>  {
>>   struct launcher_direct *launcher;
>>
>> - if (geteuid() != 0)
>> - return -EINVAL;
>> -
>>   launcher = zalloc(sizeof(*launcher));
>>   if (launcher == NULL)
>>   return -ENOMEM;
>
> NAK, for the reasons explained in
> https://lists.freedesktop.org/archives/wayland-devel/2017-October/035582.html
>
> To summarize, it's not only tty permissions but DRM and input devices
> as well.

DRM and input is supposed to be accessible by console user on desktop systems.

Ever heard of rootless X?

Any user on the console should be able to randomly decide to run a GUI
server without any special privileges.

This can be set up by logind or it can be hardcoded by the
administrator to a particular user. Whatever the case just running the
GUI server should work without issues when permissions are set up
correctly.

> If you set all these so that weston can actually run without
> root using the direct launcher, then quite likely you have opened some
> security holes.
>
> The direct launcher is specifically meant for running weston as root.
> Running as root is only for debugging and development, never for
> production.

If you can run it as root you can run it as any user with sufficient
permissions.

The security implications of different setups should be the concern of
the system administrator and not launcher-direct.

Thanks

Michal
___
wayland-devel mailing list
wayland-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/wayland-devel

Re: [PATCH weston] launcher: don't exit when user is not root

2017-10-30 Thread Matt Hoosier

On Mon, Oct 30, 2017 at 10:02 AM, Pekka Paalanen 
wrote:

> On Mon, 30 Oct 2017 15:20:42 +0100
> Emre Ucan  wrote:
>
> > weston does not need to be root.
> > It requires adjusting ownership on the given tty device.
> >
> > If weston does not have proper rights, it will get
> > an error at startup anyway.
> >
> > Signed-off-by: Emre Ucan 
> > ---
> >  libweston/launcher-direct.c | 3 ---
> >  1 file changed, 3 deletions(-)
> >
> > diff --git a/libweston/launcher-direct.c b/libweston/launcher-direct.c
> > index a5d3ee5..b05d214 100644
> > --- a/libweston/launcher-direct.c
> > +++ b/libweston/launcher-direct.c
> > @@ -276,9 +276,6 @@ launcher_direct_connect(struct weston_launcher
> **out, struct weston_compositor *
> >  {
> >   struct launcher_direct *launcher;
> >
> > - if (geteuid() != 0)
> > - return -EINVAL;
> > -
> >   launcher = zalloc(sizeof(*launcher));
> >   if (launcher == NULL)
> >   return -ENOMEM;
>
> NAK, for the reasons explained in
> https://lists.freedesktop.org/archives/wayland-devel/2017-
> October/035582.html
>
> To summarize, it's not only tty permissions but DRM and input devices
> as well. If you set all these so that weston can actually run without
> root using the direct launcher, then quite likely you have opened some
> security holes.


Just to confirm then: you are asserting that Weston is making a policy
decision that the system has been configured poorly if it finds that, even
though all the requested ioctl()'s and open()'s and friends have succeeded,
that it didn't happen to be running as root?
___
wayland-devel mailing list
wayland-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/wayland-devel

RE: [PATCH weston] launcher: don't exit when user is not root

2017-10-30 Thread Ucan, Emre (ADITG/ESB)

Hi Pekka,

We are of course running graphical applications as a different user than weston 
user.
Therefore, the security flaws, which you mentioned, are not applicable.

Correct me if I am wrong, but weston-launch and logind are using setuid(), 
which itself is a major security problem.
Furthermore, IMO logind is not needed in an embedded system. The fancy tty and 
input handling for a multi-user environment is not needed in an embedded system.

I do not understand why you are against this patch. The patch is only removing 
an unnecessary restriction of running weston directly.
This patch is not setting any privileged rights to any non-root user :). Users 
of weston would still get errors if they do not set the rights accordingly.

IMO, it is much explanatory to get an error like "Cannot open drm device" than 
"weston cannot run as non-root user".

Best regards

Emre Ucan
Engineering Software Base (ADITG/ESB)

Tel. +49 5121 49 6937

> -Original Message-
> From: Pekka Paalanen [mailto:ppaala...@gmail.com]
> Sent: Montag, 30. Oktober 2017 16:02
> To: Ucan, Emre (ADITG/ESB)
> Cc: wayland-devel@lists.freedesktop.org
> Subject: Re: [PATCH weston] launcher: don't exit when user is not root
> 
> On Mon, 30 Oct 2017 15:20:42 +0100
> Emre Ucan <eu...@de.adit-jv.com> wrote:
> 
> > weston does not need to be root.
> > It requires adjusting ownership on the given tty device.
> >
> > If weston does not have proper rights, it will get
> > an error at startup anyway.
> >
> > Signed-off-by: Emre Ucan <eu...@de.adit-jv.com>
> > ---
> >  libweston/launcher-direct.c | 3 ---
> >  1 file changed, 3 deletions(-)
> >
> > diff --git a/libweston/launcher-direct.c b/libweston/launcher-direct.c
> > index a5d3ee5..b05d214 100644
> > --- a/libweston/launcher-direct.c
> > +++ b/libweston/launcher-direct.c
> > @@ -276,9 +276,6 @@ launcher_direct_connect(struct weston_launcher
> **out, struct weston_compositor *
> >  {
> > struct launcher_direct *launcher;
> >
> > -   if (geteuid() != 0)
> > -   return -EINVAL;
> > -
> > launcher = zalloc(sizeof(*launcher));
> > if (launcher == NULL)
> > return -ENOMEM;
> 
> NAK, for the reasons explained in
> https://lists.freedesktop.org/archives/wayland-devel/2017-
> October/035582.html
> 
> To summarize, it's not only tty permissions but DRM and input devices
> as well. If you set all these so that weston can actually run without
> root using the direct launcher, then quite likely you have opened some
> security holes.
> 
> The direct launcher is specifically meant for running weston as root.
> Running as root is only for debugging and development, never for
> production.
> 
> 
> Thanks,
> pq
___
wayland-devel mailing list
wayland-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/wayland-devel

Re: [PATCH weston] launcher: don't exit when user is not root

2017-10-30 Thread Pekka Paalanen

On Mon, 30 Oct 2017 15:20:42 +0100
Emre Ucan  wrote:

> weston does not need to be root.
> It requires adjusting ownership on the given tty device.
> 
> If weston does not have proper rights, it will get
> an error at startup anyway.
> 
> Signed-off-by: Emre Ucan 
> ---
>  libweston/launcher-direct.c | 3 ---
>  1 file changed, 3 deletions(-)
> 
> diff --git a/libweston/launcher-direct.c b/libweston/launcher-direct.c
> index a5d3ee5..b05d214 100644
> --- a/libweston/launcher-direct.c
> +++ b/libweston/launcher-direct.c
> @@ -276,9 +276,6 @@ launcher_direct_connect(struct weston_launcher **out, 
> struct weston_compositor *
>  {
>   struct launcher_direct *launcher;
>  
> - if (geteuid() != 0)
> - return -EINVAL;
> -
>   launcher = zalloc(sizeof(*launcher));
>   if (launcher == NULL)
>   return -ENOMEM;

NAK, for the reasons explained in
https://lists.freedesktop.org/archives/wayland-devel/2017-October/035582.html

To summarize, it's not only tty permissions but DRM and input devices
as well. If you set all these so that weston can actually run without
root using the direct launcher, then quite likely you have opened some
security holes.

The direct launcher is specifically meant for running weston as root.
Running as root is only for debugging and development, never for
production.


Thanks,
pq


pgpkJKVB2Y35r.pgp
Description: OpenPGP digital signature
___
wayland-devel mailing list
wayland-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/wayland-devel

[PATCH weston] launcher: don't exit when user is not root

2017-10-30 Thread Emre Ucan

weston does not need to be root.
It requires adjusting ownership on the given tty device.

If weston does not have proper rights, it will get
an error at startup anyway.

Signed-off-by: Emre Ucan 
---
 libweston/launcher-direct.c | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/libweston/launcher-direct.c b/libweston/launcher-direct.c
index a5d3ee5..b05d214 100644
--- a/libweston/launcher-direct.c
+++ b/libweston/launcher-direct.c
@@ -276,9 +276,6 @@ launcher_direct_connect(struct weston_launcher **out, 
struct weston_compositor *
 {
struct launcher_direct *launcher;
 
-   if (geteuid() != 0)
-   return -EINVAL;
-
launcher = zalloc(sizeof(*launcher));
if (launcher == NULL)
return -ENOMEM;
-- 
2.7.4

___
wayland-devel mailing list
wayland-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/wayland-devel

Re: [PATCH weston] launcher: don't exit when user is not root

Re: [PATCH weston] launcher: don't exit when user is not root

Re: [PATCH weston] launcher: don't exit when user is not root

Re: [PATCH weston] launcher: don't exit when user is not root

Re: [PATCH weston] launcher: don't exit when user is not root

Re: [PATCH weston] launcher: don't exit when user is not root

Re: [PATCH weston] launcher: don't exit when user is not root

Re: [PATCH weston] launcher: don't exit when user is not root

RE: [PATCH weston] launcher: don't exit when user is not root

Re: [PATCH weston] launcher: don't exit when user is not root

[PATCH weston] launcher: don't exit when user is not root

11 matches

Site Navigation

Mail list logo

Footer information