Re: [gentoo-dev] Re: News item: xorg-server dropping default suid

2020-06-27 Thread Adam Feldman
On 6/27/20 1:36 PM, William Hubbs wrote:
> On Sun, Jun 21, 2020 at 10:02:25PM +0200, Andreas Sturmlechner wrote:
>> On Sunday, 21 June 2020 21:27:02 CEST Joonas Niilola wrote:
>>> What's the current trend of attaching news items? It
>>> makes hard to point out enhancements.
>>
>> Indeed, I didn't even look at the previous mail that was sent like that.
> 
> I realize I'm late to this and maybe this is being discussed in another
> thread (I'm catching up), but attaching newsitems is the standard way of
> getting them reviewed; this is not anything new.
> 
> Thanks,
> 
> William
> 

I think the point being made was that the vast majority of news items
are posted as content inlined in the email as opposed to an attached file.

-- 
Thanks,

Adam Feldman
Gentoo Developer
np-hard...@gentoo.org
0x671C52F118F89C67



signature.asc
Description: OpenPGP digital signature


Re: [gentoo-dev] Re: News item: xorg-server dropping default suid

2020-06-27 Thread William Hubbs
On Sun, Jun 21, 2020 at 10:02:25PM +0200, Andreas Sturmlechner wrote:
> On Sunday, 21 June 2020 21:27:02 CEST Joonas Niilola wrote:
> > What's the current trend of attaching news items? It
> > makes hard to point out enhancements.
> 
> Indeed, I didn't even look at the previous mail that was sent like that.

I realize I'm late to this and maybe this is being discussed in another
thread (I'm catching up), but attaching newsitems is the standard way of
getting them reviewed; this is not anything new.

Thanks,

William



signature.asc
Description: PGP signature


Re: [gentoo-dev] Re: News item: xorg-server dropping default suid

2020-06-22 Thread Piotr Karbowski
Hi,

On 21/06/2020 22.27, Michał Górny wrote:
> No offense but it sounds a little chaotic to me.

Which is the reasons we do those reviews. Appreciate the suggestions,
just sent revision 2 as the response to the very first email in this
thread, please check how it looks now.

-- Piotr.



signature.asc
Description: OpenPGP digital signature


Re: [gentoo-dev] Re: News item: xorg-server dropping default suid

2020-06-22 Thread Philip Webb
200622 Piotr Karbowski wrote:
> On 22/06/2020 06.03, Philip Webb wrote:
> [...]
>> I don't want to use 'systemd', as I want to run a traditional UNIX version
>> of Linux + KDE (or Fluxbox) for a simple single-user desktop system.
> Then... don't use systemd !  I officially give you my approval for that.
> Read what you quoted in your email, elogind is standalone package.
> Elogind does work normally in the configuration with OpenRC and startx.

Ah, it cb used with 'startx', which is vital for me.

>> So again : Why is running 'xorg-server' as root "heavily discouraged" ?
> It's common sense to run software with the least privileges they require,
> so if new attack vector is discovered,
> perhaps there will be no escalation surface to make use of it.

OK, understood.  It doesn't look as if there's any genuine danger
in continuing to use 'xorg-server' with 'suid' on my single-user system,
but if it really is as straightforward to use 'elogind' instead,
I may decide to change to that method for the reason you offer.

Thanks for your explanation & to all the devs for their unpaid labors.

-- 
,,
SUPPORT ___//___,   Philip Webb
ELECTRIC   /] [] [] [] [] []|   Cities Centre, University of Toronto
TRANSIT`-O--O---'   purslowatcadotinterdotnet




Re: [gentoo-dev] Re: News item: xorg-server dropping default suid

2020-06-22 Thread Piotr Karbowski
Hi,

On 22/06/2020 06.03, Philip Webb wrote:
[...]
> I don't want to use 'systemd', as I want to run a traditional UNIX version
> of Linux + KDE (or Fluxbox) for a simple single-user desktop system.

Then... don't use systemd? I officially give you my approval for that.
Read what you quoted in your email, elogind is standalone package.

The elogind does work normally in the configuration with OpenRC and startx.

> So i ask again : Why is running 'xorg-server' as root "heavily discouraged" ?
It's common sense to run software with the least privileges they
require, so if new attack vector is discovered, perhaps there will be no
escalation surface to make use of it.

-- Piotr.



signature.asc
Description: OpenPGP digital signature


Re: [gentoo-dev] Re: News item: xorg-server dropping default suid

2020-06-21 Thread Philip Webb
200621 Matt Turner wrote:
> On Sun, Jun 21, 2020 at 4:53 PM Philip Webb  wrote:
>> I've been running xorg-server as root for  > 16 yr  without any problems.
>> AFAIK there are no problems re exploits via I/net browsers,
>> which are started by my user as all such user software always is.
>> What might go wrong, if I continue to 'startx'
>> with 'xorg-server' merged with 'suid -elogind'
>> & without the '.xinitrc' line show above in the Wiki ?
> For the majority of users -- those that use a graphics driver
> with kernel modesetting support -- , X only needs root access
> for a small set of things : accessing the DRM device node,
> accessing the input device nodes and some stuff around VTs.
> The rest of the time, X doesn't need root access.
> With elogind, those bits are handled in a small daemon
> and X no longer needs to run as root.  Most people find that valuable,
> especially with the knowledge that there have been
> a number of security vulnerabilities that would allow arbitrary code
> execution in the xserver over the years [1].

The latest of those was announced in 2018
& all of them seem to involve privilege escalation by local users ;
those marked 'remote' all seem to be via off-site logins.
There doesn't appear ever to have been a genuine remote threat,
so single-user systems have never been threatened by xorg-server as root.

> [1] 
> https://www.cvedetails.com/vulnerability-list/vendor_id-88/product_id-8600/X.org-Xorg-server.html

So i ask again : Why is running 'xorg-server' as root "heavily discouraged" ?

There was a similar issue a few years ago,
when the game Nethack was threatened with removal from Gentoo
due to a security problem which affected only multi-user systems.
Is there any difference in this case of xorg-server ?

-- 
,,
SUPPORT ___//___,   Philip Webb
ELECTRIC   /] [] [] [] [] []|   Cities Centre, University of Toronto
TRANSIT`-O--O---'   purslowatcadotinterdotnet




Re: [gentoo-dev] Re: News item: xorg-server dropping default suid

2020-06-21 Thread Matt Turner
On Sun, Jun 21, 2020 at 4:53 PM Philip Webb  wrote:
>
> 200621 Piotr Karbowski wrote:
> > Title: xorg-server dropping default suid
> ...
> > The Gentoo X11 Team is announcing that starting with 15th of July,
> > the x11-base/xorg-server will no longer default to suid
> > and will default to using logind interface instead.  This change
> > makes xorg-server run as regular user rather than root by default,
> > however those who do not have any logind interface provider
> > -- either systemd or elogind -- will need to enable either
> > to make it possible to run X session as unprivileged user.
> > No action is required from systemd and desktop profile users,
> > since systemd provides logind interface
> > and desktop profile already enables 'elogind' USE flag globally.
> > Rest of the non-systemd users is required to globally enable
> > 'elogind' USE flag and apply it by 'emerge --newuse @world',
> > after which, re-login is required so that PAM can allocate seat.
> > One can confirm that a seat has been assigned upon login by running:
> > $ loginctl user-status
> > Those who for whatever reason want to preserve current state,
> > while heavily discouraged,
> > can still use x11-base/xorg-server with 'suid -elogind'.
>
> Gentoo Wiki says :
>
>   elogind is the systemd project's logind, extracted to a standalone package.
>   It's designed for users who prefer a non-systemd init system,
>   but still want to use popular software such as KDE/Wayland or GNOME
>   that otherwise hard-depends on systemd.
>
>   startx integration : To have an elogind session created
>   when using startx to start the X server (instead of a display manager),
>   add the following to the user's ~/.xinitrc file : FILE ~/.xinitrc
>exec dbus-launch --exit-with-session 
>   WINDOW_MANAGER in the above example needs to be replaced
>   by a window manager or a single application.
>
> I want to use 'startx' to start X , because I don't want to be trapped
> if some problem arises with X or KDE or the login manager
> & I need to change config files or remerge pkgs (etc) to rescue myself.
> With 'startx' I can do all that work from raw TTYs with no problems,
> as I am not forced to go into an X session if I don't want to.

Thank you for actually participating in the discussion, unlike the
last thread about this topic.

> I don't want to use 'systemd', as I want to run a traditional UNIX version
> of Linux + KDE (or Fluxbox) for a simple single-user desktop system.
>
> Why is running 'xorg-server' as root "heavily discouraged" ?
> -- I've been doing that with Gentoo for  > 16 yr  without any problems.
> AFAIK there are no problems re exploits via I/net browsers,
> which are started by my user as all such user software always is.
> What might go wrong, if I continue to 'startx'
> with 'xorg-server' merged with 'suid -elogind'
> & without the '.xinitrc' line show above in the Wiki ?

For the majority of users (those that use a graphics driver with
kernel modesetting support), X only needs root access for a small set
of things: accessing the DRM device node, accessing the input device
nodes, and some stuff around VTs. The rest of the time, X doesn't need
root access but still must run as root for those cases I mention.

With elogind, those bits are handled in a small daemon, and X no
longer needs to run as root. Most people find that to be valuable,
especially with the knowledge that there have been a number of
security vulnerabilities found that would allow arbitrary code
execution in the xserver over the years [1].

Our current default of USE=suid installs /usr/bin/Xorg with the setuid
bit set, allowing it to be run *as root* by any user. This enables
non-root users to execute startx, for example.

I appreciate that Gentoo users are a diverse bunch, to say the least.
This news item is about *defaults*. I'm happy to explain the value of
the new default to people who are genuinely curious but I have no
interest in trying to convince you or anyone else of anything.

You're free to keep the status quo with a single line in
/etc/portage/package.use. The people building and maintaining the
distro think that the new defaults are better defaults for the vast
majority of users, but again they're just defaults.

[1] 
https://www.cvedetails.com/vulnerability-list/vendor_id-88/product_id-8600/X.org-Xorg-server.html



Re: [gentoo-dev] Re: News item: xorg-server dropping default suid

2020-06-21 Thread Philip Webb
200621 Piotr Karbowski wrote:
> Title: xorg-server dropping default suid
...
> The Gentoo X11 Team is announcing that starting with 15th of July,
> the x11-base/xorg-server will no longer default to suid
> and will default to using logind interface instead.  This change
> makes xorg-server run as regular user rather than root by default,
> however those who do not have any logind interface provider
> -- either systemd or elogind -- will need to enable either
> to make it possible to run X session as unprivileged user.
> No action is required from systemd and desktop profile users,
> since systemd provides logind interface
> and desktop profile already enables 'elogind' USE flag globally.
> Rest of the non-systemd users is required to globally enable
> 'elogind' USE flag and apply it by 'emerge --newuse @world',
> after which, re-login is required so that PAM can allocate seat.
> One can confirm that a seat has been assigned upon login by running:
> $ loginctl user-status
> Those who for whatever reason want to preserve current state,
> while heavily discouraged,
> can still use x11-base/xorg-server with 'suid -elogind'.

Gentoo Wiki says :

  elogind is the systemd project's logind, extracted to a standalone package.
  It's designed for users who prefer a non-systemd init system,
  but still want to use popular software such as KDE/Wayland or GNOME
  that otherwise hard-depends on systemd. 

  startx integration : To have an elogind session created
  when using startx to start the X server (instead of a display manager),
  add the following to the user's ~/.xinitrc file : FILE ~/.xinitrc
   exec dbus-launch --exit-with-session 
  WINDOW_MANAGER in the above example needs to be replaced
  by a window manager or a single application. 

I want to use 'startx' to start X , because I don't want to be trapped
if some problem arises with X or KDE or the login manager
& I need to change config files or remerge pkgs (etc) to rescue myself.
With 'startx' I can do all that work from raw TTYs with no problems,
as I am not forced to go into an X session if I don't want to.

I don't want to use 'systemd', as I want to run a traditional UNIX version
of Linux + KDE (or Fluxbox) for a simple single-user desktop system.

Why is running 'xorg-server' as root "heavily discouraged" ?
-- I've been doing that with Gentoo for  > 16 yr  without any problems.
AFAIK there are no problems re exploits via I/net browsers,
which are started by my user as all such user software always is.
What might go wrong, if I continue to 'startx'
with 'xorg-server' merged with 'suid -elogind'
& without the '.xinitrc' line show above in the Wiki ?

Are there any other Gentoo users who have the same preferences as me ?

-- 
,,
SUPPORT ___//___,   Philip Webb
ELECTRIC   /] [] [] [] [] []|   Cities Centre, University of Toronto
TRANSIT`-O--O---'   purslowatcadotinterdotnet




Re: [gentoo-dev] Re: News item: xorg-server dropping default suid

2020-06-21 Thread Michał Górny
On Sun, 2020-06-21 at 22:09 +0200, Piotr Karbowski wrote:
> Hi,
> 
> Re-sending news item inline.
> 
> ###
> 
> Title: xorg-server dropping default suid
> Author: Piotr Karbowski 
> Posted: 2020-06-22
> Revision: 1
> News-Item-Format: 2.0
> Display-If-Installed: x11-base/xorg-server
> 
> The Gentoo X11 Team is announcing that starting with 15th of July,
> the x11-base/xorg-server will no longer default to suid and will default
> to using logind interface instead. This change makes xorg-server run as
> regular user rather than root by default, however, those who do not have
> any logind interface provider (either systemd or elogind) will need to
> enable either to make it possible to run X session as unprivileged user.

No offense but it sounds a little chaotic to me.  How about something
like:

Starting 2020-07-15 [use ISO dates, please], x11-base/xorg-server will
default to using logind interface instead of suid by default. It will
result in ... [what? better security?] through running the server
as a regular user instead of root. However, this will require our users
to use a logind provider such as elogind or systemd.

> No action is required from systemd and desktop profile users, since
> systemd provides logind interface, and desktop profile already enables
> 'elogind' USE flag globally.
> 
> Rest of the non-systemd users is required to globally enable 'elogind'

The remaining users are ... 'elogind' [or 'systemd'?]

> USE flag and apply it by 'emerge --newuse @world'

Cut sentence here.

> , after which, re-login
> is required so that PAM can allocate seat.

Afterwards, ...

> 
> One can confirm that a seat has been assigned upon login by running:
> 
> $ loginctl user-status
> 
> Those who for whatever reason want to preserve current state, while
> heavily discourage, can still use x11-base/xorg-server with 'suid -elogind'.

'whatever reason' doesn't sound professional.  How about:

Users who do not wish to use logind interface can manually reenable
'suid' flag in order to preserve the previous behavior. However, please
note that this is heavily discouraged... [maybe explain why? also, are
we going to eventually remove it?]

-- 
Best regards,
Michał Górny



signature.asc
Description: This is a digitally signed message part


Re: [gentoo-dev] Re: News item: xorg-server dropping default suid

2020-06-21 Thread Andreas Sturmlechner
On Sunday, 21 June 2020 21:27:02 CEST Joonas Niilola wrote:
> What's the current trend of attaching news items? It
> makes hard to point out enhancements.

Indeed, I didn't even look at the previous mail that was sent like that.

signature.asc
Description: This is a digitally signed message part.