Re: Should /usr/bin/Xorg (still) be setuid-root?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Jan 08, 2014 at 01:14:08PM -0800, Andrew Lutomirski wrote:
> /usr/bin/Xorg is, and has been, setuid-root just about forever.  I'm
> wondering whether there's any good reason for it to remain
> setuid-root.
[...]
>  - Xorg is a giant attack surface.  Without setuid-root, only users
> sitting in front of the keyboard can try to attack it.

Like, for example:

  http://lists.x.org/archives/xorg-announce/2014-January/002389.html
  https://bugzilla.redhat.com/show_bug.cgi?id=1049569

Perhaps this is what got you thinking about this?

> Thoughts?  If people are generally in favor, I'll submit a change
> proposal.  Despite the fact that the change would be a one-liner, it
> seems like a systemwide change.
> (On a related note: what's the F21 change proposal submission
> deadline?  I can't find it anywhere.)

No deadline yet -- go for it. You might also want to check into
http://fedoraproject.org/wiki/Features/RemoveSETUID, which was a
partially-successful effort to use capabilities instead of setuid across
the system. (See for example /usr/bin/ping.)

However, that was about reducing from full setuid to what is effectively
partial setuid (and see the discussion; it's only really meaningful in some
cases). Removing the setuid bit entirely is new, as far as I know.

-- 
Matthew Miller    --   Fedora Project    --    <mattdm@xxxxxxxxxxxxxxxxx>
-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct





[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux