On Thu, Jan 9, 2014 at 11:43 AM, Hans de Goede <hdegoede@xxxxxxxxxx> wrote: > Hi, > > > On 01/09/2014 12:09 AM, Andrew Lutomirski wrote: >> >> On Wed, Jan 8, 2014 at 2:58 PM, Peter Hutterer <peter.hutterer@xxxxxxxxx> >> wrote: >>> >>> On Wed, Jan 08, 2014 at 01:14:08PM -0800, Andrew Lutomirski wrote: >>>> >>>> /usr/bin/Xorg is, and has been, setuid-root just about forever. I'm >>>> wondering whether there's any good reason for it to remain >>>> setuid-root. >>> >>> >>> http://fedoraproject.org/wiki/Changes/XorgWithoutRootRights >> >> >> This isn't actually the same thing. That proposal suggests running >> Xorg as a non-root user. I'm proposing dropping the setuid bit on the >> binary, which will have no effect on the uid of the running server. >> (Of course, my suggestion will interact w/ that change, since the >> process that starts Xorg will no longer be root.) > > > I don't think that that will be very useful, it will likely cause more > breakage then you think, as various display-managers may already start > Xorg inside the user session, at which point the suid bit is needed, > and as you already said it will break xinit and friends. This is an empirical question :) gdm on F20, at least, can still switch users with the setuid bit cleared. I'll try to test some more display managers. > > Besides that almost every Fedora system already has a copy of the X > server running as root ready to be exploited. The attack service of > X is not its cmdline or attacks through environment settings > (2 vectors your suggestion would close), but rather the gargantuan > API it exposes over the X protocol itself. > There's currently a big attack surface if I run some daemon that gets remotely pwned -- the attacker could start a brand new X server and try to exploit it. On the other hand, they'd have a much more limited attack surface against the already running daemon, because they'll have trouble getting past the X authentication checks. > >> It may be that XorgWithoutRootRights will clear the setuid bit as well, >> though. > > > Hopefully, either clear it completely or drop root rights very early > on on startup. I hope it clears the bit -- I really don't like the fact that 'X :1' screws with the display. --Andy -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
