On Wed, Jan 08, 2014 at 01:14:08PM -0800, Andrew Lutomirski wrote: > /usr/bin/Xorg is, and has been, setuid-root just about forever. I'm > wondering whether there's any good reason for it to remain > setuid-root. http://fedoraproject.org/wiki/Changes/XorgWithoutRootRights Cheers, Peter > > Some arguments for setuid-root: > - People who still use startx or similar scripts need it. > - It's vaguely useful for testing xorg.conf changes. > > Some arguments for clearing the setuid-root bit: > - People who use display managers (i.e. almost everyone) doesn't need > it to be setuid-root. > - Xorg is a giant attack surface. Without setuid-root, only users > sitting in front of the keyboard can try to attack it. > > I suspect that most people would notice the difference if > xorg-x11-server-Xorg got rid of the setuid-root bit. > > Another option would be to only let users in a new xorg group run Xorg > and to keep it setuid-root. > > Thoughts? If people are generally in favor, I'll submit a change > proposal. Despite the fact that the change would be a one-liner, it > seems like a systemwide change. > > (On a related note: what's the F21 change proposal submission > deadline? I can't find it anywhere.) > > --Andy > -- > devel mailing list > devel@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/devel > Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct > -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
