Re: [gentoo-dev] Re: News item: xorg-server dropping default suid
On 6/27/20 1:36 PM, William Hubbs wrote: > On Sun, Jun 21, 2020 at 10:02:25PM +0200, Andreas Sturmlechner wrote: >> On Sunday, 21 June 2020 21:27:02 CEST Joonas Niilola wrote: >>> What's the current trend of attaching news items? It >>> makes hard to point out enhancements. >> >> Indeed, I didn't even look at the previous mail that was sent like that. > > I realize I'm late to this and maybe this is being discussed in another > thread (I'm catching up), but attaching newsitems is the standard way of > getting them reviewed; this is not anything new. > > Thanks, > > William > I think the point being made was that the vast majority of news items are posted as content inlined in the email as opposed to an attached file. -- Thanks, Adam Feldman Gentoo Developer np-hard...@gentoo.org 0x671C52F118F89C67 signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] Re: News item: xorg-server dropping default suid
On Sun, Jun 21, 2020 at 10:02:25PM +0200, Andreas Sturmlechner wrote: > On Sunday, 21 June 2020 21:27:02 CEST Joonas Niilola wrote: > > What's the current trend of attaching news items? It > > makes hard to point out enhancements. > > Indeed, I didn't even look at the previous mail that was sent like that. I realize I'm late to this and maybe this is being discussed in another thread (I'm catching up), but attaching newsitems is the standard way of getting them reviewed; this is not anything new. Thanks, William signature.asc Description: PGP signature
Re: [gentoo-dev] Re: News item: xorg-server dropping default suid
Hi, On 21/06/2020 22.27, Michał Górny wrote: > No offense but it sounds a little chaotic to me. Which is the reasons we do those reviews. Appreciate the suggestions, just sent revision 2 as the response to the very first email in this thread, please check how it looks now. -- Piotr. signature.asc Description: OpenPGP digital signature
[gentoo-dev] Re: News item: xorg-server dropping default suid
Title: xorg-server dropping default suid Author: Piotr Karbowski Posted: 2020-06-22 Revision: 2 News-Item-Format: 2.0 Display-If-Installed: x11-base/xorg-server Starting 2020-07-15, x11-base/xorg-server will default to using the logind interface instead of suid by default. resulting in better security by default through running the server as a regular user instead of root. However, this will require our users to use a logind provider such as elogind or systemd. The systemd users and those who are not using systemd but use desktop profiles can stop reading here, as they already have a logind provider enabled. Others, who have neither systemd or desktop profiles enabled will be required to globally enable 'elogind' USE flag and update the system # emerge --newuse @world Afterwards, one will need to re-login, so the PAM can assign a seat. One can confirm that a seat has been assigned upon login by running: $ loginctl user-status Users who do not wish to use logind interface or have rare hardware that does not use KMS and because of that, require root privileges to operate, can manually re-enable 'suid' and disable 'elogind' USE flags in order to preserve the previous behavior. However, please note that this is heavily discouraged to run X server as root due to security reasons. The 'suid' USE flag will remain as optional opt-in for the need of legacy hardware. signature.asc Description: OpenPGP digital signature
[gentoo-dev] Re: News item: xorg-server dropping default suid
On Sun, Jun 21, 2020 at 09:22:37PM +0200, Piotr Karbowski wrote: > Hi, > > Please find news item attached. I feel that this news item should ALSO remind people that consolekit is deprecated per a news item a few months ago: News Item v3: Desktop profile switching USE default to elogind xorg-server[elogind] forces sys-auth/pambase[elogind] and users who previously had USE='-systemd -elogind' probably have USE=consolekit set. -- Robin Hugh Johnson Gentoo Linux: Dev, Infra Lead, Foundation Treasurer E-Mail : robb...@gentoo.org GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136 signature.asc Description: PGP signature
Re: [gentoo-dev] Re: News item: xorg-server dropping default suid
200622 Piotr Karbowski wrote: > On 22/06/2020 06.03, Philip Webb wrote: > [...] >> I don't want to use 'systemd', as I want to run a traditional UNIX version >> of Linux + KDE (or Fluxbox) for a simple single-user desktop system. > Then... don't use systemd ! I officially give you my approval for that. > Read what you quoted in your email, elogind is standalone package. > Elogind does work normally in the configuration with OpenRC and startx. Ah, it cb used with 'startx', which is vital for me. >> So again : Why is running 'xorg-server' as root "heavily discouraged" ? > It's common sense to run software with the least privileges they require, > so if new attack vector is discovered, > perhaps there will be no escalation surface to make use of it. OK, understood. It doesn't look as if there's any genuine danger in continuing to use 'xorg-server' with 'suid' on my single-user system, but if it really is as straightforward to use 'elogind' instead, I may decide to change to that method for the reason you offer. Thanks for your explanation & to all the devs for their unpaid labors. -- ,, SUPPORT ___//___, Philip Webb ELECTRIC /] [] [] [] [] []| Cities Centre, University of Toronto TRANSIT`-O--O---' purslowatcadotinterdotnet
Re: [gentoo-dev] Re: News item: xorg-server dropping default suid
Hi, On 22/06/2020 06.03, Philip Webb wrote: [...] > I don't want to use 'systemd', as I want to run a traditional UNIX version > of Linux + KDE (or Fluxbox) for a simple single-user desktop system. Then... don't use systemd? I officially give you my approval for that. Read what you quoted in your email, elogind is standalone package. The elogind does work normally in the configuration with OpenRC and startx. > So i ask again : Why is running 'xorg-server' as root "heavily discouraged" ? It's common sense to run software with the least privileges they require, so if new attack vector is discovered, perhaps there will be no escalation surface to make use of it. -- Piotr. signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] Re: News item: xorg-server dropping default suid
200621 Matt Turner wrote: > On Sun, Jun 21, 2020 at 4:53 PM Philip Webb wrote: >> I've been running xorg-server as root for > 16 yr without any problems. >> AFAIK there are no problems re exploits via I/net browsers, >> which are started by my user as all such user software always is. >> What might go wrong, if I continue to 'startx' >> with 'xorg-server' merged with 'suid -elogind' >> & without the '.xinitrc' line show above in the Wiki ? > For the majority of users -- those that use a graphics driver > with kernel modesetting support -- , X only needs root access > for a small set of things : accessing the DRM device node, > accessing the input device nodes and some stuff around VTs. > The rest of the time, X doesn't need root access. > With elogind, those bits are handled in a small daemon > and X no longer needs to run as root. Most people find that valuable, > especially with the knowledge that there have been > a number of security vulnerabilities that would allow arbitrary code > execution in the xserver over the years [1]. The latest of those was announced in 2018 & all of them seem to involve privilege escalation by local users ; those marked 'remote' all seem to be via off-site logins. There doesn't appear ever to have been a genuine remote threat, so single-user systems have never been threatened by xorg-server as root. > [1] > https://www.cvedetails.com/vulnerability-list/vendor_id-88/product_id-8600/X.org-Xorg-server.html So i ask again : Why is running 'xorg-server' as root "heavily discouraged" ? There was a similar issue a few years ago, when the game Nethack was threatened with removal from Gentoo due to a security problem which affected only multi-user systems. Is there any difference in this case of xorg-server ? -- ,, SUPPORT ___//___, Philip Webb ELECTRIC /] [] [] [] [] []| Cities Centre, University of Toronto TRANSIT`-O--O---' purslowatcadotinterdotnet
Re: [gentoo-dev] Re: News item: xorg-server dropping default suid
On Sun, Jun 21, 2020 at 4:53 PM Philip Webb wrote: > > 200621 Piotr Karbowski wrote: > > Title: xorg-server dropping default suid > ... > > The Gentoo X11 Team is announcing that starting with 15th of July, > > the x11-base/xorg-server will no longer default to suid > > and will default to using logind interface instead. This change > > makes xorg-server run as regular user rather than root by default, > > however those who do not have any logind interface provider > > -- either systemd or elogind -- will need to enable either > > to make it possible to run X session as unprivileged user. > > No action is required from systemd and desktop profile users, > > since systemd provides logind interface > > and desktop profile already enables 'elogind' USE flag globally. > > Rest of the non-systemd users is required to globally enable > > 'elogind' USE flag and apply it by 'emerge --newuse @world', > > after which, re-login is required so that PAM can allocate seat. > > One can confirm that a seat has been assigned upon login by running: > > $ loginctl user-status > > Those who for whatever reason want to preserve current state, > > while heavily discouraged, > > can still use x11-base/xorg-server with 'suid -elogind'. > > Gentoo Wiki says : > > elogind is the systemd project's logind, extracted to a standalone package. > It's designed for users who prefer a non-systemd init system, > but still want to use popular software such as KDE/Wayland or GNOME > that otherwise hard-depends on systemd. > > startx integration : To have an elogind session created > when using startx to start the X server (instead of a display manager), > add the following to the user's ~/.xinitrc file : FILE ~/.xinitrc >exec dbus-launch --exit-with-session > WINDOW_MANAGER in the above example needs to be replaced > by a window manager or a single application. > > I want to use 'startx' to start X , because I don't want to be trapped > if some problem arises with X or KDE or the login manager > & I need to change config files or remerge pkgs (etc) to rescue myself. > With 'startx' I can do all that work from raw TTYs with no problems, > as I am not forced to go into an X session if I don't want to. Thank you for actually participating in the discussion, unlike the last thread about this topic. > I don't want to use 'systemd', as I want to run a traditional UNIX version > of Linux + KDE (or Fluxbox) for a simple single-user desktop system. > > Why is running 'xorg-server' as root "heavily discouraged" ? > -- I've been doing that with Gentoo for > 16 yr without any problems. > AFAIK there are no problems re exploits via I/net browsers, > which are started by my user as all such user software always is. > What might go wrong, if I continue to 'startx' > with 'xorg-server' merged with 'suid -elogind' > & without the '.xinitrc' line show above in the Wiki ? For the majority of users (those that use a graphics driver with kernel modesetting support), X only needs root access for a small set of things: accessing the DRM device node, accessing the input device nodes, and some stuff around VTs. The rest of the time, X doesn't need root access but still must run as root for those cases I mention. With elogind, those bits are handled in a small daemon, and X no longer needs to run as root. Most people find that to be valuable, especially with the knowledge that there have been a number of security vulnerabilities found that would allow arbitrary code execution in the xserver over the years [1]. Our current default of USE=suid installs /usr/bin/Xorg with the setuid bit set, allowing it to be run *as root* by any user. This enables non-root users to execute startx, for example. I appreciate that Gentoo users are a diverse bunch, to say the least. This news item is about *defaults*. I'm happy to explain the value of the new default to people who are genuinely curious but I have no interest in trying to convince you or anyone else of anything. You're free to keep the status quo with a single line in /etc/portage/package.use. The people building and maintaining the distro think that the new defaults are better defaults for the vast majority of users, but again they're just defaults. [1] https://www.cvedetails.com/vulnerability-list/vendor_id-88/product_id-8600/X.org-Xorg-server.html
Re: [gentoo-dev] Re: News item: xorg-server dropping default suid
200621 Piotr Karbowski wrote: > Title: xorg-server dropping default suid ... > The Gentoo X11 Team is announcing that starting with 15th of July, > the x11-base/xorg-server will no longer default to suid > and will default to using logind interface instead. This change > makes xorg-server run as regular user rather than root by default, > however those who do not have any logind interface provider > -- either systemd or elogind -- will need to enable either > to make it possible to run X session as unprivileged user. > No action is required from systemd and desktop profile users, > since systemd provides logind interface > and desktop profile already enables 'elogind' USE flag globally. > Rest of the non-systemd users is required to globally enable > 'elogind' USE flag and apply it by 'emerge --newuse @world', > after which, re-login is required so that PAM can allocate seat. > One can confirm that a seat has been assigned upon login by running: > $ loginctl user-status > Those who for whatever reason want to preserve current state, > while heavily discouraged, > can still use x11-base/xorg-server with 'suid -elogind'. Gentoo Wiki says : elogind is the systemd project's logind, extracted to a standalone package. It's designed for users who prefer a non-systemd init system, but still want to use popular software such as KDE/Wayland or GNOME that otherwise hard-depends on systemd. startx integration : To have an elogind session created when using startx to start the X server (instead of a display manager), add the following to the user's ~/.xinitrc file : FILE ~/.xinitrc exec dbus-launch --exit-with-session WINDOW_MANAGER in the above example needs to be replaced by a window manager or a single application. I want to use 'startx' to start X , because I don't want to be trapped if some problem arises with X or KDE or the login manager & I need to change config files or remerge pkgs (etc) to rescue myself. With 'startx' I can do all that work from raw TTYs with no problems, as I am not forced to go into an X session if I don't want to. I don't want to use 'systemd', as I want to run a traditional UNIX version of Linux + KDE (or Fluxbox) for a simple single-user desktop system. Why is running 'xorg-server' as root "heavily discouraged" ? -- I've been doing that with Gentoo for > 16 yr without any problems. AFAIK there are no problems re exploits via I/net browsers, which are started by my user as all such user software always is. What might go wrong, if I continue to 'startx' with 'xorg-server' merged with 'suid -elogind' & without the '.xinitrc' line show above in the Wiki ? Are there any other Gentoo users who have the same preferences as me ? -- ,, SUPPORT ___//___, Philip Webb ELECTRIC /] [] [] [] [] []| Cities Centre, University of Toronto TRANSIT`-O--O---' purslowatcadotinterdotnet
Re: [gentoo-dev] Re: News item: xorg-server dropping default suid
On Sun, 2020-06-21 at 22:09 +0200, Piotr Karbowski wrote: > Hi, > > Re-sending news item inline. > > ### > > Title: xorg-server dropping default suid > Author: Piotr Karbowski > Posted: 2020-06-22 > Revision: 1 > News-Item-Format: 2.0 > Display-If-Installed: x11-base/xorg-server > > The Gentoo X11 Team is announcing that starting with 15th of July, > the x11-base/xorg-server will no longer default to suid and will default > to using logind interface instead. This change makes xorg-server run as > regular user rather than root by default, however, those who do not have > any logind interface provider (either systemd or elogind) will need to > enable either to make it possible to run X session as unprivileged user. No offense but it sounds a little chaotic to me. How about something like: Starting 2020-07-15 [use ISO dates, please], x11-base/xorg-server will default to using logind interface instead of suid by default. It will result in ... [what? better security?] through running the server as a regular user instead of root. However, this will require our users to use a logind provider such as elogind or systemd. > No action is required from systemd and desktop profile users, since > systemd provides logind interface, and desktop profile already enables > 'elogind' USE flag globally. > > Rest of the non-systemd users is required to globally enable 'elogind' The remaining users are ... 'elogind' [or 'systemd'?] > USE flag and apply it by 'emerge --newuse @world' Cut sentence here. > , after which, re-login > is required so that PAM can allocate seat. Afterwards, ... > > One can confirm that a seat has been assigned upon login by running: > > $ loginctl user-status > > Those who for whatever reason want to preserve current state, while > heavily discourage, can still use x11-base/xorg-server with 'suid -elogind'. 'whatever reason' doesn't sound professional. How about: Users who do not wish to use logind interface can manually reenable 'suid' flag in order to preserve the previous behavior. However, please note that this is heavily discouraged... [maybe explain why? also, are we going to eventually remove it?] -- Best regards, Michał Górny signature.asc Description: This is a digitally signed message part
[gentoo-dev] Re: News item: xorg-server dropping default suid
Hi, Re-sending news item inline. ### Title: xorg-server dropping default suid Author: Piotr Karbowski Posted: 2020-06-22 Revision: 1 News-Item-Format: 2.0 Display-If-Installed: x11-base/xorg-server The Gentoo X11 Team is announcing that starting with 15th of July, the x11-base/xorg-server will no longer default to suid and will default to using logind interface instead. This change makes xorg-server run as regular user rather than root by default, however, those who do not have any logind interface provider (either systemd or elogind) will need to enable either to make it possible to run X session as unprivileged user. No action is required from systemd and desktop profile users, since systemd provides logind interface, and desktop profile already enables 'elogind' USE flag globally. Rest of the non-systemd users is required to globally enable 'elogind' USE flag and apply it by 'emerge --newuse @world', after which, re-login is required so that PAM can allocate seat. One can confirm that a seat has been assigned upon login by running: $ loginctl user-status Those who for whatever reason want to preserve current state, while heavily discourage, can still use x11-base/xorg-server with 'suid -elogind'. signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] Re: News item: xorg-server dropping default suid
On Sunday, 21 June 2020 21:27:02 CEST Joonas Niilola wrote: > What's the current trend of attaching news items? It > makes hard to point out enhancements. Indeed, I didn't even look at the previous mail that was sent like that. signature.asc Description: This is a digitally signed message part.
[gentoo-dev] Re: News item: xorg-server dropping default suid
Hey, It has some typos. What's the current trend of attaching news items? It makes hard to point out enhancements. -- juippis On 6/21/20 10:22 PM, Piotr Karbowski wrote: > Hi, > > Please find news item attached. > > -- Piotr. signature.asc Description: OpenPGP digital signature