[RFC] Xdummy standalone binary or "-dummy" switch

Jamey Sharp jamey at minilop.net
Fri Sep 30 09:22:17 PDT 2011


On 9/29/11, Antoine Martin <antoine at nagafix.co.uk> wrote:
> OK, I've looked for at all the places that use getuid or getuid, and found:
> * os-support/* some checks for euid!=0 for console stuff / KeepTTY,
> which I have left alone
> * parser/write.c also left alone for now - I can look into it too if you
> want.

I still suspect that *all* such checks are wrong, but I don't mind
leaving them alone until somebody can demonstrate how they should
work.

> * common/xf86Init.c: ddxProcessArgument and ddxUseMsg patched, see
> attachment.
>
> With just this small patch and the correct xorg.conf as per below I can
> run "dummy" non-root without problems. Does it look acceptable?

I don't see anything wrong with it, so I'm happy to provide my

Reviewed-by: Jamey Sharp <jamey at minilop.net>

but since it's security-related I'd like to see somebody else review
it too before it gets merged. Others will have an easier time
reviewing and merging your patch if you follow these guidelines:

http://wiki.x.org/wiki/Development/Documentation/SubmittingPatches

> The only other patch required to make this useful for non-root users is
> the one that allows for absolute config files I had posted earlier,
> otherwise I don't see how one can launch using custom config files as
> the "-config" option does not seem to honour the "-configdir" option.
> Obviously this would now need an extra euid!=uid check.
> Or am I missing something again?

Looks to me like all you need for this bit is to fix the getuid check
in xf86HandleConfigFile. The USER_CONFIGPATH lists both absolute and
relative paths as the first things it checks, and this also takes care
of -configdir. (But -configdir doesn't do what you think it does.)

>>> If that's all the issues you've had, I'm hoping that just fixing the
>>> stupid "am I root?" checks will take care of everything you need.
>>> Anything missing?
> I don't think so - works-for-me(tm)

Hooray!

> I guess distributors will then have to ship two copies of /usr/bin/Xorg,
> one that is suid-root and one that isn't? (until we can get rid of the
> suid one entirely, one day)

Amusingly, any user can get a non-suid copy of a suid binary. "cp"
will do. But I think adding a "-dropprivs" flag wouldn't be a terrible
plan. It should wait until we find out if distros actually have this
problem, though, especially since apparently it's hard to fully drop
privileges correctly and portably.

Jamey


More information about the xorg-devel mailing list