[PATCH RFC 0/1] Xorg: Add a suid root wrapper

Thu Mar 6 04:23:43 PST 2014

> From: Hans de Goede <hdegoede at redhat.com>
> Date: Wed,  5 Mar 2014 16:51:51 +0100
> 
> Hi All,
> 
> Let me repeat the commit msg here as that explains it all:
> 
> With the recent systemd-logind changes it is possible to install the Xorg
> binary without suid root rights and still have everything working as it
> should *if* the user only has cards which are supported by kms.
> 
> This commit adds a little suid root wrapper, which is a bit weird, first we
> strip the suid-root bit of the Xorg binary, and then we add a wrapper ?
> 
> The function of this wrapper is to see if a system still needs root-rights,
> if it does not (it supports kms and the kms drivers are properly loaded),
> then it will immediately drop all elevated rights before executing the real
> Xorg binary. If it finds (some) cards which don't support kms, or no cards
> at all, then it will execute the Xorg server with elevated rights so that
> ie the nvidia binary driver and the vesa driver can keep working normally.
> 
> To make it possible for security concious users who don't need the root
> rights to completely remove the wrapper, Xorg is started in a 3 step process
> when the wrapper is enabled during build time:
> 
> 1) A simple shell script which checks if the wrapper is there, if it is
>   it executes the wrapper, if not it directly executes the real Xorg binary
> 
> 2) The wrapper gets executed, does its checks, normally drops all elevated
>   rights and then executes the real Xorg binary
> 
> 3) The real Xorg binary does its thing
> 
> This allows distributions to put the wrapper binary in a separate package, and
> will allow users to remove this package. IE the plan with Fedora is to make
> "legacy" drivers depend on the wrapper pkg, and since our default install
> contains some legacy drivers it will be part of the default install, but
> users can later yum remove it (which will also automatically remove the
> legacy driver packages as those won't work without it anyways).
> 
> Note currently this patch is only RFC as I still need to test it on a system
> which actually needs it to keep the root rights. Still I expect there will
> be some discussion / review comments so I thought it would be good to post
> this now. Please review.

Oh dear, the wrapper script is back!

Before you go further down this road, may I point out the privilege
seperation support that we've had in xenocara (Xorg for OpenBSD) for
years now?  As Ilja van Sprundel says, "Xorg guys should steal that
code!" ;).

Our Xorg binary is still setuid, but dropping the setuid bit isn't a
problem in itself.  What you care about is dropping as many access
rights as possible, and being setuid you might actually be able to
drop more of them.  It also means you can open the traditional log
files (either before you drop priviliges, or through the Xorg process
that keeps the priviliges.  But the major benefit from the privsep is
that non-KMS setups still get (some of) the benefits.

Not sure if Matthieu Herrb ever tried to merge the OpenBSD changes
back into Xorg.  If he did his attempts didn't raise much interest
from you Linux people.  But it seems that has changed ;).

His changes can be found in the OpenBSD xenocara CVS repository.  And
if you ask him nicely, he can probably point you at a git repository
that has the changes as well.  Just grep for X_PRIVSEP!