Re: [gentoo-dev] x11-base/xorg-server: No longer enabling suid by default.
On Tue, May 26, 2020 at 4:12 AM Haelwenn (lanodan) Monnier wrote: > > [2020-05-25 23:41:23+0200] Piotr Karbowski: > > There are 3 common ways the xorg-server is started: > > > > - via XDM of some sort, usually forked as root, does not require suid, > > systemd or elogind. > > Launching X as root and having it be suid is quite the same thing… > Sort-of. An SUID X binary is a potential source of vulnerabilities even if you never run it, since it is still sitting there and ready to be exploited by somebody else. It also gives a user more control over how X is launched as root (command lines/control over stdin/out, etc). When X is launched as root by something the user doesn't control it reduces the attack surface somewhat. And if you never launch X11 at all it is just another unprivileged binary that can't do anything the user can't already do with system calls. In any case, setting suid on any binary is something that should only be done if there is no other practical solution. It certainly seems like this shouldn't be the default, especially if it is available for users to toggle if they wish. We can always put out a news item when this changes. If elogind is already enabled by default on a profile, then it doesn't make sense to ship X11 suid with that same profile when it isn't necessary. If a user wants to depart from the default config to not use elogind then they can just change the USE flag on xorg as well. -- Rich
Re: [gentoo-dev] x11-base/xorg-server: No longer enabling suid by default.
Piotr Karbowski wrote: > Hi, > > On 26/05/2020 00.34, Philip Webb wrote: >> I'ld rather you didn't. > You didn't provided any rationale for that. Running X as root is anti > pattern, especially nowadays when so little effort is required to not > have to run it as root. > > You can either enable elogind, or you can enable suid if you want to > preserve your status quo, we're talking here about defaults that user > can change if he has a reason to do so. > > -- Piotr. > As a user. [ebuild R ] x11-base/xorg-server-1.20.7:0/1.20.7::gentoo USE="elogind ipv6 libglvnd suid udev xorg -debug -dmx -doc -kdrive -libressl -minimal (-selinux) -static-libs -systemd -unwind -wayland -xcsecurity -xephyr -xnest -xvfb" I don't recall the security issue that setting comes with. As a user, I'd rather defaults be secure and if I need to make a exception, then I can do so locally. I use elogin, used the other method until the recent change, so I likely don't need it set this way. If I understand this correctly, I'm going to disable suid and use the more secure method. I think it is reasonable since most likely, most users would expect the more secure method as a default and use a login tool that works with that setting. Those who use some other method, such as manually starting X, they still have the option to set it in whatever way works for them. I do agree with the point in another post that there should be some sort of notice about the change. One that is easily seen since it can cause problems. In the middle of typing, I made the change and ran into no problems so far. I restarted the GUI and logged in just fine. Just a users perspective. Dale :-) :-)
Re: [gentoo-dev] x11-base/xorg-server: No longer enabling suid by default.
[2020-05-25 23:41:23+0200] Piotr Karbowski: > There are 3 common ways the xorg-server is started: > > - via XDM of some sort, usually forked as root, does not require suid, > systemd or elogind. Launching X as root and having it be suid is quite the same thing… > - via better XDM that can into logind interface, started as regular user > thanks to logind interface provided by either systemd or elogind. > - via `startx`, if systemd or elogind are present, can work without > suid, without them, suid is required. btw I tried startx without suid a while ago, you can start it with your user in the right groups (input, video), which means that now every program that you run can snoop input devices and mess with your video outputs. And X couldn't properly manage DRM master control because you could set the DRM master but not drop it (kernel bug but "linux maintains bugs" and there is no capabilities to fix it, which could allow to avoid extra groups). I don't have something like elogind and likely will not as last time I looked at how it worked, it felt like reading about an unstable backdoor more than anything else. I'd rather have proper permissions in the kernel. > Flipping current '+suid (-)elogind' as *default* USE flags on ebuild > level into '+elogind (-)suid' will not affect first two use cases, and > affect only 3rd one if neither systemd is used, or elogind is enabled. > > What I'd like to go with is to enable elogind and disable suid on ebuild > level. The systemd profiles have use.mask for elogind, meaning it's not > a problem for them. and those who do not want to use any logind provider > can still opt-out out of it and go back to use suid. It shouldn't really > affect most of the users in any negative way, if anything, it will make > more users to not run Xorg as root, which is a positive aspect. > > The alternative way would be to enable elogind on default profile, > however it would also affect those who run headless Gentoo, of which a > lot refuse to use any login manager. > > So, dear people of Gentoo, what do you think about turning the current > possible opt-out of Xorg as root into possible opt-in for running Xorg > as root? People still will have a choice, just the defaults will be more > sane. I think you could have `xorg-server -suid` in the desktop profile, as you have elogingd there but on the ebuild level I'm not so sure. I'm not particularly against it but then should definitely come with a warning and it'll require users to notice the change and warning so they don't end up with a broken gentoo after an update.
Re: [gentoo-dev] x11-base/xorg-server: No longer enabling suid by default.
Hi, On 26/05/2020 09.23, Philip Webb wrote: > 200526 Piotr Karbowski wrote: >> On 26/05/2020 00.34, Philip Webb wrote: >>> I'ld rather you didn't. >> You didn't provided any rationale for that. > > I thought I did (smile). > >> Running X as root is anti-pattern, especially nowadays >> when so little effort is required to not have to run it as root. > > I've never run X as root : it's not the UNIX way. I am not sure if you're trolling me here, or you genuinely not understand that regardless of what user you execute `startx` on, if Xorg have suid, it will start as root. >> You can either enable elogind > > Why would anyone want to abandon the long-successful UNIX method > & adopt some complex replacement ? I wouldn't call running X as root to be long successful UNIX method. Back in the days there was no way to ran X without root, now there is. >> or you can enable suid if you want to preserve your status quo, >> we're talking here about defaults >> that user can change if he has a reason to do so. > > Yes, this is a regular problem which is unavoidable : > what should the default be ? -- I want the default to be > what it's always been & what matches basic UNIX principles. > I can add 'suid' to 'xorg-server' in package.use , > but why should I have to ? -- over to you for a rationale (smile). I am not sure what kind of UNIX principles you're speaking about, the default should be reasonable, running X as root is not, if someone want to go against common sense and run X as root, he can do so, with defaults to not run it as root. -- Piotr. signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] x11-base/xorg-server: No longer enabling suid by default.
200526 Piotr Karbowski wrote: > On 26/05/2020 00.34, Philip Webb wrote: >> I'ld rather you didn't. > You didn't provided any rationale for that. I thought I did (smile). > Running X as root is anti-pattern, especially nowadays > when so little effort is required to not have to run it as root. I've never run X as root : it's not the UNIX way. > You can either enable elogind Why would anyone want to abandon the long-successful UNIX method & adopt some complex replacement ? > or you can enable suid if you want to preserve your status quo, > we're talking here about defaults > that user can change if he has a reason to do so. Yes, this is a regular problem which is unavoidable : what should the default be ? -- I want the default to be what it's always been & what matches basic UNIX principles. I can add 'suid' to 'xorg-server' in package.use , but why should I have to ? -- over to you for a rationale (smile). Perhaps others can weigh in CAD 0,02 (choose your currency) at a time. -- ,, SUPPORT ___//___, Philip Webb ELECTRIC /] [] [] [] [] []| Cities Centre, University of Toronto TRANSIT`-O--O---' purslowatcadotinterdotnet
Re: [gentoo-dev] x11-base/xorg-server: No longer enabling suid by default.
Hi, On 26/05/2020 00.34, Philip Webb wrote: > I'ld rather you didn't. You didn't provided any rationale for that. Running X as root is anti pattern, especially nowadays when so little effort is required to not have to run it as root. You can either enable elogind, or you can enable suid if you want to preserve your status quo, we're talking here about defaults that user can change if he has a reason to do so. -- Piotr. signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] x11-base/xorg-server: No longer enabling suid by default.
200525 Piotr Karbowski wrote: > There are 3 common ways the xorg-server is started: ... > - via `startx`, That's how I've always started Xorg. > if systemd or elogind are present, I don't use those. > can work without suid, without them, suid is required. ... > What do you think about turning the current possible opt-out of Xorg as root > into possible opt-in for running Xorg as root ? ... I'ld rather you didn't. -- ,, SUPPORT ___//___, Philip Webb ELECTRIC /] [] [] [] [] []| Cities Centre, University of Toronto TRANSIT`-O--O---' purslowatcadotinterdotnet
[gentoo-dev] x11-base/xorg-server: No longer enabling suid by default.
Hi, For years the xorg-server in Gentoo was defaulting to be running with suid, even those that does not really require it, like systemd users and those who runs elogind still end up with X as uid 0 because of +suid default. Times has changed, we now have +elogind in desktop profile, xorg-server can no longer work without udev (due to input drivers), so there's no real benefit for defaulting to suid. There are 3 common ways the xorg-server is started: - via XDM of some sort, usually forked as root, does not require suid, systemd or elogind. - via better XDM that can into logind interface, started as regular user thanks to logind interface provided by either systemd or elogind. - via `startx`, if systemd or elogind are present, can work without suid, without them, suid is required. Flipping current '+suid (-)elogind' as *default* USE flags on ebuild level into '+elogind (-)suid' will not affect first two use cases, and affect only 3rd one if neither systemd is used, or elogind is enabled. What I'd like to go with is to enable elogind and disable suid on ebuild level. The systemd profiles have use.mask for elogind, meaning it's not a problem for them. and those who do not want to use any logind provider can still opt-out out of it and go back to use suid. It shouldn't really affect most of the users in any negative way, if anything, it will make more users to not run Xorg as root, which is a positive aspect. The alternative way would be to enable elogind on default profile, however it would also affect those who run headless Gentoo, of which a lot refuse to use any login manager. So, dear people of Gentoo, what do you think about turning the current possible opt-out of Xorg as root into possible opt-in for running Xorg as root? People still will have a choice, just the defaults will be more sane. -- Piotr. signature.asc Description: OpenPGP digital signature
