On Thu, Jan 09, 2014 at 12:52:46PM -0800, Andrew Lutomirski wrote: > On Thu, Jan 9, 2014 at 11:43 AM, Hans de Goede <hdegoede@xxxxxxxxxx> wrote: > > Hi, > > > > > > On 01/09/2014 12:09 AM, Andrew Lutomirski wrote: > >> > >> On Wed, Jan 8, 2014 at 2:58 PM, Peter Hutterer <peter.hutterer@xxxxxxxxx> > >> wrote: > >>> > >>> On Wed, Jan 08, 2014 at 01:14:08PM -0800, Andrew Lutomirski wrote: > >>>> > >>>> /usr/bin/Xorg is, and has been, setuid-root just about forever. I'm > >>>> wondering whether there's any good reason for it to remain > >>>> setuid-root. > >>> > >>> > >>> http://fedoraproject.org/wiki/Changes/XorgWithoutRootRights > >> > >> > >> This isn't actually the same thing. That proposal suggests running > >> Xorg as a non-root user. I'm proposing dropping the setuid bit on the > >> binary, which will have no effect on the uid of the running server. > >> (Of course, my suggestion will interact w/ that change, since the > >> process that starts Xorg will no longer be root.) > > > > > > I don't think that that will be very useful, it will likely cause more > > breakage then you think, as various display-managers may already start > > Xorg inside the user session, at which point the suid bit is needed, > > and as you already said it will break xinit and friends. > > This is an empirical question :) gdm on F20, at least, can still > switch users with the setuid bit cleared. I'll try to test some more > display managers. > > > > > Besides that almost every Fedora system already has a copy of the X > > server running as root ready to be exploited. The attack service of > > X is not its cmdline or attacks through environment settings > > (2 vectors your suggestion would close), but rather the gargantuan > > API it exposes over the X protocol itself. > > > > There's currently a big attack surface if I run some daemon that gets > remotely pwned -- the attacker could start a brand new X server and > try to exploit it. On the other hand, they'd have a much more limited > attack surface against the already running daemon, because they'll > have trouble getting past the X authentication checks. > > > > >> It may be that XorgWithoutRootRights will clear the setuid bit as well, > >> though. > > > > > > Hopefully, either clear it completely or drop root rights very early > > on on startup. > > I hope it clears the bit -- I really don't like the fact that 'X :1' > screws with the display. You understand that this isn't as much screwing with the display as being a base functionality of the x server? It's a bit like saying starting apache screws with your port 80 when you start it. Cheers, Peter -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
