On 22 Feb 2010, Adam Jackson verbalised: > On Sat, 2010-02-20 at 15:00 +0000, Nix wrote: >> Am I right in assuming that pretty much all of these are UMS-related? >> i.e., in KMS the only thing now stopping us running X as non-root at >> long last is the input-device-revocation problem? > > That, and device permissions on /dev/dri/whatever, and that GEM objects > are globally visible so you're still trusting that multiple X servers > don't intentionally snoop on each other.
Device permissions are fixable with one udev rule / chown / chmod / whatever. The 'intentionally snooping X servers' problem only allows users to spy on other users (and perhaps bash their 3D state), but doesn't allow arbitrary code execution as root unless there are more bugs allowing users to instruct the GPU to DMA stuff to arbitrary parts of system RAM (in which case we have a security hole even in the absence of multiple users). So even if the GEM problem is not fixed, this reduces a possible- root-if-the-X-server-is-buggy hole to a possible-root-if-the-kernel-is- buggy hole --- and since we will always have the kernel in our vulnerability surface, it seems to me that even with GEM fixed, a non-root X would be a good thing to have. Input device revocation still seems important though :( a shame there's no workaround, even if a hacky one :/ we don't realy need generalized revoke() for this, do we? Just revoke() on a limited class of devices? (disclaimer: short of coffee, may be talking nonsense as a result) _______________________________________________ xorg mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/xorg
