Re: [PATCH weston] launcher: don't exit when user is not root
On the 30th of October 2017 16:02, Pekka Paalanen wrote: On Mon, 30 Oct 2017 15:20:42 +0100 Emre Ucanwrote: weston does not need to be root. It requires adjusting ownership on the given tty device. If weston does not have proper rights, it will get an error at startup anyway. Signed-off-by: Emre Ucan --- libweston/launcher-direct.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/libweston/launcher-direct.c b/libweston/launcher-direct.c index a5d3ee5..b05d214 100644 --- a/libweston/launcher-direct.c +++ b/libweston/launcher-direct.c @@ -276,9 +276,6 @@ launcher_direct_connect(struct weston_launcher **out, struct weston_compositor * { struct launcher_direct *launcher; - if (geteuid() != 0) - return -EINVAL; - launcher = zalloc(sizeof(*launcher)); if (launcher == NULL) return -ENOMEM; NAK, for the reasons explained in https://lists.freedesktop.org/archives/wayland-devel/2017-October/035582.html To summarize, it's not only tty permissions but DRM and input devices as well. If you set all these so that weston can actually run without root using the direct launcher, then quite likely you have opened some security holes. The direct launcher is specifically meant for running weston as root. Running as root is only for debugging and development, never for production. Thanks, pq Hello everybody Personally, I do prefer the way Pekka handles the matter and applying a little more advanced software engineering is not a bad choice. But sadly to say and without any offence, for sure, reality and life is very different and diversified when compared with our desires. Indeed, there are pros and cons for both sides: In general, Weston must be as flexible as possible for being accepted by everybody eventually. Furthermore, an embedded system has always been and still is a special case where everything goes, so to say. In this respect, it is very hard or even impossible to convince a developer of an embedded system to carry the unnneeded code along, specifically in the case that somebody does not need any safety, security, and reliability properties, or/and exactly knows what she/he is doing and hence is willing to take any risks, as said by the embedded system developers in this thread. Therefore, using Weston in a root debug or special embedded system way should not be excluded as somekind of a common option. This leads to various potential compromises, such as for example: (a) a custom-made configuration of a development tool (e.g. CASE tool) excludes the unneeded part of the safe, secure, and reliable Weston code for an individual architecture, framework, or project, (b) a compiler flag and a related message that shows a clear warning that the result of the compilation is not included in the safe, secure, and reliable Weston environment anymore, or (c) an own subproject of Weston with an own chapter in the documentation for the root debug development option and the special embedded system "use case", that - could be titled "Weston Root Debug (Weston RD)" or "Weston Bare Metal (Weston BM)" for example, and - explains the differences between the proper Weston and the special Weston variants and also gives a clear warning about the potential safety, security, and reliability issues. Best Regards Christian Stroetmann ___ wayland-devel mailing list wayland-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/wayland-devel
Re: [PATCH weston] launcher: don't exit when user is not root
On 31 October 2017 at 16:42, Michal Suchanekwrote: >>> Ever heard of rootless X? >> >> Yes. I believe it uses logind now. > > The documentation says otherwise. > See xserver commit e7b84ca46944895971a8f048c7e34869b7de01c0 and the other work by Hans in the area. I'm suspecting the documentation is out of date. -Emil ___ wayland-devel mailing list wayland-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/wayland-devel
Re: [PATCH weston] launcher: don't exit when user is not root
On 31 October 2017 at 08:49, Pekka Paalanenwrote: > On Mon, 30 Oct 2017 18:56:02 +0100 > Michal Suchanek wrote: > >> On 30 October 2017 at 16:02, Pekka Paalanen wrote: >> > On Mon, 30 Oct 2017 15:20:42 +0100 >> > Emre Ucan wrote: >> > >> >> weston does not need to be root. >> >> It requires adjusting ownership on the given tty device. >> >> >> >> If weston does not have proper rights, it will get >> >> an error at startup anyway. >> >> >> >> Signed-off-by: Emre Ucan >> >> --- >> >> libweston/launcher-direct.c | 3 --- >> >> 1 file changed, 3 deletions(-) >> >> >> >> diff --git a/libweston/launcher-direct.c b/libweston/launcher-direct.c >> >> index a5d3ee5..b05d214 100644 >> >> --- a/libweston/launcher-direct.c >> >> +++ b/libweston/launcher-direct.c >> >> @@ -276,9 +276,6 @@ launcher_direct_connect(struct weston_launcher **out, >> >> struct weston_compositor * >> >> { >> >> struct launcher_direct *launcher; >> >> >> >> - if (geteuid() != 0) >> >> - return -EINVAL; >> >> - >> >> launcher = zalloc(sizeof(*launcher)); >> >> if (launcher == NULL) >> >> return -ENOMEM; >> > >> > NAK, for the reasons explained in >> > https://lists.freedesktop.org/archives/wayland-devel/2017-October/035582.html >> > >> > To summarize, it's not only tty permissions but DRM and input devices >> > as well. >> >> DRM and input is supposed to be accessible by console user on desktop >> systems. > > Hi Michal, > > thanks for your concern, but I believe the world has moved on. We have > a much better model with an agent like logind now. Why is the model better? In the end the agent relies on permissions as well. On systems with multiple users it makes sense to automate the task of setting up the user permissions with an agent. However, on an embedded system setting the permissions statically in an installation image may make more sense. Then you have one less thing to audit for security - namely the agent which you do not use. > > That old approach had the inherent security issues which I assume have > discouraged its use and encouraged looking for better alternatives. > >> Ever heard of rootless X? > > Yes. I believe it uses logind now. The documentation says otherwise. > >> Any user on the console should be able to randomly decide to run a GUI >> server without any special privileges. > > Presuming yes, then that is what logind or another agent like > weston-launch allows. They also make it harder for you to shoot > yourself in the foot by e.g. running two display servers on the same > devices simultaneously. Which is what tracking service units is for as well - it should run the server only once. > >> This can be set up by logind or it can be hardcoded by the >> administrator to a particular user. Whatever the case just running the >> GUI server should work without issues when permissions are set up >> correctly. > > It can be done by setting up user permissions. That does not mean it is > the best available solution. It can be done by logind or weston-launch. It does not mean it is the best solution. > >> > If you set all these so that weston can actually run without >> > root using the direct launcher, then quite likely you have opened some >> > security holes. >> > >> > The direct launcher is specifically meant for running weston as root. >> > Running as root is only for debugging and development, never for >> > production. >> >> If you can run it as root you can run it as any user with sufficient >> permissions. >> >> The security implications of different setups should be the concern of >> the system administrator and not launcher-direct. > > I will still refuse to take in code that promotes bad practices where I > see it. Enforcement in code is always more powerful than documentation > saying one should not do this. And what exactly is the bad practice here? Accessing devices that you have permission to access granted by the system administrator but which are not set up as accessible to you by policykit? If you should not have access to some devices then the system administrator should revoke your permissions. weston is a display server. It is not a security audit software. So it has no business auditing your security setup. Thanks Michal ___ wayland-devel mailing list wayland-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/wayland-devel
Re: [PATCH weston] launcher: don't exit when user is not root
On Tue, 31 Oct 2017 09:29:11 +0200 Pekka Paalanenwrote: > On Mon, 30 Oct 2017 15:29:58 + > "Ucan, Emre (ADITG/ESB)" wrote: > > > IMO, it is much explanatory to get an error like "Cannot open drm > > device" than "weston cannot run as non-root user". > > That's true. The actual error messages you get when no launcher > succeeds are: > > "fatal: drm backend should be run using weston-launch binary or as root" > "fatal: fbdev backend should be run using weston-launch binary or as root" > > I would be quite happy to improve those error messages to be more > helpful. I believe they were written before logind support existed. Hi, I'm actually writing a patch to improve these error messages myself. Thanks, pq pgpaHzU_tDYuA.pgp Description: OpenPGP digital signature ___ wayland-devel mailing list wayland-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/wayland-devel
Re: [PATCH weston] launcher: don't exit when user is not root
On Mon, 30 Oct 2017 18:56:02 +0100 Michal Suchanekwrote: > On 30 October 2017 at 16:02, Pekka Paalanen wrote: > > On Mon, 30 Oct 2017 15:20:42 +0100 > > Emre Ucan wrote: > > > >> weston does not need to be root. > >> It requires adjusting ownership on the given tty device. > >> > >> If weston does not have proper rights, it will get > >> an error at startup anyway. > >> > >> Signed-off-by: Emre Ucan > >> --- > >> libweston/launcher-direct.c | 3 --- > >> 1 file changed, 3 deletions(-) > >> > >> diff --git a/libweston/launcher-direct.c b/libweston/launcher-direct.c > >> index a5d3ee5..b05d214 100644 > >> --- a/libweston/launcher-direct.c > >> +++ b/libweston/launcher-direct.c > >> @@ -276,9 +276,6 @@ launcher_direct_connect(struct weston_launcher **out, > >> struct weston_compositor * > >> { > >> struct launcher_direct *launcher; > >> > >> - if (geteuid() != 0) > >> - return -EINVAL; > >> - > >> launcher = zalloc(sizeof(*launcher)); > >> if (launcher == NULL) > >> return -ENOMEM; > > > > NAK, for the reasons explained in > > https://lists.freedesktop.org/archives/wayland-devel/2017-October/035582.html > > > > To summarize, it's not only tty permissions but DRM and input devices > > as well. > > DRM and input is supposed to be accessible by console user on desktop systems. Hi Michal, thanks for your concern, but I believe the world has moved on. We have a much better model with an agent like logind now. That old approach had the inherent security issues which I assume have discouraged its use and encouraged looking for better alternatives. > Ever heard of rootless X? Yes. I believe it uses logind now. > Any user on the console should be able to randomly decide to run a GUI > server without any special privileges. Presuming yes, then that is what logind or another agent like weston-launch allows. They also make it harder for you to shoot yourself in the foot by e.g. running two display servers on the same devices simultaneously. > This can be set up by logind or it can be hardcoded by the > administrator to a particular user. Whatever the case just running the > GUI server should work without issues when permissions are set up > correctly. It can be done by setting up user permissions. That does not mean it is the best available solution. > > If you set all these so that weston can actually run without > > root using the direct launcher, then quite likely you have opened some > > security holes. > > > > The direct launcher is specifically meant for running weston as root. > > Running as root is only for debugging and development, never for > > production. > > If you can run it as root you can run it as any user with sufficient > permissions. > > The security implications of different setups should be the concern of > the system administrator and not launcher-direct. I will still refuse to take in code that promotes bad practices where I see it. Enforcement in code is always more powerful than documentation saying one should not do this. Thanks, pq pgpgQdKOzftGU.pgp Description: OpenPGP digital signature ___ wayland-devel mailing list wayland-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/wayland-devel
Re: [PATCH weston] launcher: don't exit when user is not root
On Mon, 30 Oct 2017 15:29:58 + "Ucan, Emre (ADITG/ESB)" <eu...@de.adit-jv.com> wrote: > Hi Pekka, > > We are of course running graphical applications as a different user > than weston user. Therefore, the security flaws, which you mentioned, > are not applicable. Yes. That is exactly what I meant that even if you somehow managed to make it safe, it does not make it any more appropriate to give the weston user these permissions directly. > Correct me if I am wrong, but weston-launch and logind are using > setuid(), which itself is a major security problem. Furthermore, IMO > logind is not needed in an embedded system. The fancy tty and input > handling for a multi-user environment is not needed in an embedded > system. They are setuid or equivalent, yes. They have been inteded to be that from the very beginning, so their design should account for it. logind is not just for multi-user, it is also for priviledge separation - exactly the thing you have reinvented yourself with user accounts, except your solution does not generalize, and no-one else uses, develops, or audits it. No-one *could* even use it aside from using your distribution, because it relies on user accounts setup and file permissions rather than any particular piece of software. Recovering from a Weston crash is another example where using an agent is a good thing. Weston does have a SIGABRT/SIGSEGV handler that attempts to restore the VT before raising SIGTRAP for debuggers, but it's obviously not reliable. > I do not understand why you are against this patch. The patch is only > removing an unnecessary restriction of running weston directly. This > patch is not setting any privileged rights to any non-root user :). > Users of weston would still get errors if they do not set the rights > accordingly. This patch is promoting bad practice. Therefore I am against it. > IMO, it is much explanatory to get an error like "Cannot open drm > device" than "weston cannot run as non-root user". That's true. The actual error messages you get when no launcher succeeds are: "fatal: drm backend should be run using weston-launch binary or as root" "fatal: fbdev backend should be run using weston-launch binary or as root" I would be quite happy to improve those error messages to be more helpful. I believe they were written before logind support existed. None of this still changes the fact that launcher-direct has been written for root use only, as a debugging aid. Thanks, pq > > -Original Message- > > From: Pekka Paalanen [mailto:ppaala...@gmail.com] > > Sent: Montag, 30. Oktober 2017 16:02 > > To: Ucan, Emre (ADITG/ESB) > > Cc: wayland-devel@lists.freedesktop.org > > Subject: Re: [PATCH weston] launcher: don't exit when user is not > > root > > > > On Mon, 30 Oct 2017 15:20:42 +0100 > > Emre Ucan <eu...@de.adit-jv.com> wrote: > > > > > weston does not need to be root. > > > It requires adjusting ownership on the given tty device. > > > > > > If weston does not have proper rights, it will get > > > an error at startup anyway. > > > > > > Signed-off-by: Emre Ucan <eu...@de.adit-jv.com> > > > --- > > > libweston/launcher-direct.c | 3 --- > > > 1 file changed, 3 deletions(-) > > > > > > diff --git a/libweston/launcher-direct.c > > > b/libweston/launcher-direct.c index a5d3ee5..b05d214 100644 > > > --- a/libweston/launcher-direct.c > > > +++ b/libweston/launcher-direct.c > > > @@ -276,9 +276,6 @@ launcher_direct_connect(struct > > > weston_launcher > > **out, struct weston_compositor * > > > { > > > struct launcher_direct *launcher; > > > > > > - if (geteuid() != 0) > > > - return -EINVAL; > > > - > > > launcher = zalloc(sizeof(*launcher)); > > > if (launcher == NULL) > > > return -ENOMEM; > > > > NAK, for the reasons explained in > > https://lists.freedesktop.org/archives/wayland-devel/2017- > > October/035582.html > > > > To summarize, it's not only tty permissions but DRM and input > > devices as well. If you set all these so that weston can actually > > run without root using the direct launcher, then quite likely you > > have opened some security holes. > > > > The direct launcher is specifically meant for running weston as > > root. Running as root is only for debugging and development, never > > for production. > > > > > > Thanks, > > pq pgpqQONmd3HQi.pgp Description: OpenPGP digital signature ___ wayland-devel mailing list wayland-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/wayland-devel
Re: [PATCH weston] launcher: don't exit when user is not root
On 30 October 2017 at 16:02, Pekka Paalanenwrote: > On Mon, 30 Oct 2017 15:20:42 +0100 > Emre Ucan wrote: > >> weston does not need to be root. >> It requires adjusting ownership on the given tty device. >> >> If weston does not have proper rights, it will get >> an error at startup anyway. >> >> Signed-off-by: Emre Ucan >> --- >> libweston/launcher-direct.c | 3 --- >> 1 file changed, 3 deletions(-) >> >> diff --git a/libweston/launcher-direct.c b/libweston/launcher-direct.c >> index a5d3ee5..b05d214 100644 >> --- a/libweston/launcher-direct.c >> +++ b/libweston/launcher-direct.c >> @@ -276,9 +276,6 @@ launcher_direct_connect(struct weston_launcher **out, >> struct weston_compositor * >> { >> struct launcher_direct *launcher; >> >> - if (geteuid() != 0) >> - return -EINVAL; >> - >> launcher = zalloc(sizeof(*launcher)); >> if (launcher == NULL) >> return -ENOMEM; > > NAK, for the reasons explained in > https://lists.freedesktop.org/archives/wayland-devel/2017-October/035582.html > > To summarize, it's not only tty permissions but DRM and input devices > as well. DRM and input is supposed to be accessible by console user on desktop systems. Ever heard of rootless X? Any user on the console should be able to randomly decide to run a GUI server without any special privileges. This can be set up by logind or it can be hardcoded by the administrator to a particular user. Whatever the case just running the GUI server should work without issues when permissions are set up correctly. > If you set all these so that weston can actually run without > root using the direct launcher, then quite likely you have opened some > security holes. > > The direct launcher is specifically meant for running weston as root. > Running as root is only for debugging and development, never for > production. If you can run it as root you can run it as any user with sufficient permissions. The security implications of different setups should be the concern of the system administrator and not launcher-direct. Thanks Michal ___ wayland-devel mailing list wayland-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/wayland-devel
Re: [PATCH weston] launcher: don't exit when user is not root
On Mon, Oct 30, 2017 at 10:02 AM, Pekka Paalanenwrote: > On Mon, 30 Oct 2017 15:20:42 +0100 > Emre Ucan wrote: > > > weston does not need to be root. > > It requires adjusting ownership on the given tty device. > > > > If weston does not have proper rights, it will get > > an error at startup anyway. > > > > Signed-off-by: Emre Ucan > > --- > > libweston/launcher-direct.c | 3 --- > > 1 file changed, 3 deletions(-) > > > > diff --git a/libweston/launcher-direct.c b/libweston/launcher-direct.c > > index a5d3ee5..b05d214 100644 > > --- a/libweston/launcher-direct.c > > +++ b/libweston/launcher-direct.c > > @@ -276,9 +276,6 @@ launcher_direct_connect(struct weston_launcher > **out, struct weston_compositor * > > { > > struct launcher_direct *launcher; > > > > - if (geteuid() != 0) > > - return -EINVAL; > > - > > launcher = zalloc(sizeof(*launcher)); > > if (launcher == NULL) > > return -ENOMEM; > > NAK, for the reasons explained in > https://lists.freedesktop.org/archives/wayland-devel/2017- > October/035582.html > > To summarize, it's not only tty permissions but DRM and input devices > as well. If you set all these so that weston can actually run without > root using the direct launcher, then quite likely you have opened some > security holes. Just to confirm then: you are asserting that Weston is making a policy decision that the system has been configured poorly if it finds that, even though all the requested ioctl()'s and open()'s and friends have succeeded, that it didn't happen to be running as root? ___ wayland-devel mailing list wayland-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/wayland-devel
RE: [PATCH weston] launcher: don't exit when user is not root
Hi Pekka, We are of course running graphical applications as a different user than weston user. Therefore, the security flaws, which you mentioned, are not applicable. Correct me if I am wrong, but weston-launch and logind are using setuid(), which itself is a major security problem. Furthermore, IMO logind is not needed in an embedded system. The fancy tty and input handling for a multi-user environment is not needed in an embedded system. I do not understand why you are against this patch. The patch is only removing an unnecessary restriction of running weston directly. This patch is not setting any privileged rights to any non-root user :). Users of weston would still get errors if they do not set the rights accordingly. IMO, it is much explanatory to get an error like "Cannot open drm device" than "weston cannot run as non-root user". Best regards Emre Ucan Engineering Software Base (ADITG/ESB) Tel. +49 5121 49 6937 > -Original Message- > From: Pekka Paalanen [mailto:ppaala...@gmail.com] > Sent: Montag, 30. Oktober 2017 16:02 > To: Ucan, Emre (ADITG/ESB) > Cc: wayland-devel@lists.freedesktop.org > Subject: Re: [PATCH weston] launcher: don't exit when user is not root > > On Mon, 30 Oct 2017 15:20:42 +0100 > Emre Ucan <eu...@de.adit-jv.com> wrote: > > > weston does not need to be root. > > It requires adjusting ownership on the given tty device. > > > > If weston does not have proper rights, it will get > > an error at startup anyway. > > > > Signed-off-by: Emre Ucan <eu...@de.adit-jv.com> > > --- > > libweston/launcher-direct.c | 3 --- > > 1 file changed, 3 deletions(-) > > > > diff --git a/libweston/launcher-direct.c b/libweston/launcher-direct.c > > index a5d3ee5..b05d214 100644 > > --- a/libweston/launcher-direct.c > > +++ b/libweston/launcher-direct.c > > @@ -276,9 +276,6 @@ launcher_direct_connect(struct weston_launcher > **out, struct weston_compositor * > > { > > struct launcher_direct *launcher; > > > > - if (geteuid() != 0) > > - return -EINVAL; > > - > > launcher = zalloc(sizeof(*launcher)); > > if (launcher == NULL) > > return -ENOMEM; > > NAK, for the reasons explained in > https://lists.freedesktop.org/archives/wayland-devel/2017- > October/035582.html > > To summarize, it's not only tty permissions but DRM and input devices > as well. If you set all these so that weston can actually run without > root using the direct launcher, then quite likely you have opened some > security holes. > > The direct launcher is specifically meant for running weston as root. > Running as root is only for debugging and development, never for > production. > > > Thanks, > pq ___ wayland-devel mailing list wayland-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/wayland-devel
Re: [PATCH weston] launcher: don't exit when user is not root
On Mon, 30 Oct 2017 15:20:42 +0100 Emre Ucanwrote: > weston does not need to be root. > It requires adjusting ownership on the given tty device. > > If weston does not have proper rights, it will get > an error at startup anyway. > > Signed-off-by: Emre Ucan > --- > libweston/launcher-direct.c | 3 --- > 1 file changed, 3 deletions(-) > > diff --git a/libweston/launcher-direct.c b/libweston/launcher-direct.c > index a5d3ee5..b05d214 100644 > --- a/libweston/launcher-direct.c > +++ b/libweston/launcher-direct.c > @@ -276,9 +276,6 @@ launcher_direct_connect(struct weston_launcher **out, > struct weston_compositor * > { > struct launcher_direct *launcher; > > - if (geteuid() != 0) > - return -EINVAL; > - > launcher = zalloc(sizeof(*launcher)); > if (launcher == NULL) > return -ENOMEM; NAK, for the reasons explained in https://lists.freedesktop.org/archives/wayland-devel/2017-October/035582.html To summarize, it's not only tty permissions but DRM and input devices as well. If you set all these so that weston can actually run without root using the direct launcher, then quite likely you have opened some security holes. The direct launcher is specifically meant for running weston as root. Running as root is only for debugging and development, never for production. Thanks, pq pgpkJKVB2Y35r.pgp Description: OpenPGP digital signature ___ wayland-devel mailing list wayland-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/wayland-devel
[PATCH weston] launcher: don't exit when user is not root
weston does not need to be root. It requires adjusting ownership on the given tty device. If weston does not have proper rights, it will get an error at startup anyway. Signed-off-by: Emre Ucan--- libweston/launcher-direct.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/libweston/launcher-direct.c b/libweston/launcher-direct.c index a5d3ee5..b05d214 100644 --- a/libweston/launcher-direct.c +++ b/libweston/launcher-direct.c @@ -276,9 +276,6 @@ launcher_direct_connect(struct weston_launcher **out, struct weston_compositor * { struct launcher_direct *launcher; - if (geteuid() != 0) - return -EINVAL; - launcher = zalloc(sizeof(*launcher)); if (launcher == NULL) return -ENOMEM; -- 2.7.4 ___ wayland-devel mailing list wayland-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/wayland-devel