On 2/2/24 05:45, Enrico Weigelt, metux IT consult wrote:
Hello folks,
I wonder whether we still need the Fopen() function.
It's a funny and complicated way of loading a file with dropped privs
(by calling `cat` on that file !).
It only does the cat if HAS_SAVED_IDS_AND_SETEUID is not defined, and
that should be defined on all POSIX systems - though it looks like our
current check is:
#if defined(SVR4) || defined(__linux__) || defined(CSRG_BASED)
#define HAS_SAVED_IDS_AND_SETEUID
#endif
I suspect for the OS'es that the xserver code builds on today, that
could be replaced by #ifndef WIN32, which would then allow the first
half of that #ifdef in Fopen to be deleted, leaving just the simpler
case, since Fopen is already not built for WIN32.
The only call site is LoadAuthorization() (auth.c) for loading the
Xauthority file (if one was passed to xserver via -auth arg). But this
doesn't make much sense to me: why should the xserver - if started as
root (but dropping privs) - be prevented from reading an xauth file ?
If the Xserver is run as setuid root, you don't want to let it read
files with root privs that are specified by a non-root user - that
way lies CVEs. I could imagine adding a build flag to the server
that said not to support running setuid, that would set a define
that skipped this code and instead enabled code to check issetugid()
on startup and instantly exit if it was true, but I don't think anyone
has written a patch for that yet. Distros who don't install setuid
could set that flag, those who do could leave it unset.
And do we still need the complicated exec'ing code path ?
As noted above, I don't think so.
And is there still any need to run it as root at all ?
Yes. Not every OS the X server runs on has KMS support for every device.
I don't know how to express that in a meson, autoconf, or #ifdef check though.
--
-Alan Coopersmith- alan.coopersm...@oracle.com
Oracle Solaris Engineering - https://blogs.oracle.com/solaris
