Re: RFC: what to do with ums when the X server is not suid root ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

On 01/20/2014 10:16 AM, Peter Robinson wrote:

As indicated here:
https://fedoraproject.org/wiki/Changes/XorgWithoutRootRights

I'm working on making the X server run as a regular user. I actually have
this
pretty much working.

So now it is time to start looking into some of the corner cases, or rather
at
the elephant in the room. What about non-kms drivers. We still have the vesa
driver around as most prominent example, and this is useful for some oddball
cards and for cards which are too new.

I would like to not break the vesa driver, while still killing the suid bit
on
the X server.

I'm currently thinking about implementing the following solution:

1) Make the X server a regular binary without any special rights

2) Implement a small suid root wrapper which gets the Xorg name and
launches the real Xorg binary.

This wrapper will search for kms capable cards and if one is found drop
all root rights before executing the real Xorg binary. If no kms capable
cards are found it will execute the real Xorg binary with root rights.

3) Put this wrapper in a separate package, make it part of comps so it
will get installed by default, but don't depend on it in any packages
so that security sensitive users can simply do
"rpm -e xorg-x11-server-suid-helper"

I'm not 100% sold on my own idea yet. The whole idea of dropping the suid
bit
is to remove the rather large attack surface the xserver offers. With the
helper for people running kms that attack surface is reduced to a quite
small,
easily audited helper. But for people without kms nothing changes. On x86
most users will fall in the with kms category, but what about ie ARM?


At the moment on ARM most devices that have X use the
xorg-x11-drv-modesetting driver which I believe uses the KMS kernel
drivers so I'm presuming we'll be OK on that front. The other two that
are in use are xorg-x11-drv-armsoc (currently supported via the
DRM_EXYNOS module, in theory can support other Mali GPUs) and
xorg-x11-drv-omap (DRM_OMAP) which I believe also use the equivalent
KMS drivers but I might be wrong there.

Moving forward I can't see any new ARM devices not supporting KMS as I
doubt they'll get accepted into the mainline kernel without it.


So maybe we should not build, nor install, the helper for ARM at all ?

We likely either have kms or in some (respin) cases fbdev there neither
of which will need root rights.

And the same likely goes for other non x86 archs, so maybe the helper
should be an x86 only thing, for vesa (or other ums driver) support on
oddball + very new cards ?

Regards,

Hans
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux