On Mon, Jan 20, 2014 at 10:08 AM, Hans de Goede <hdegoede@xxxxxxxxxx> wrote: > Hi All, > > As indicated here: > https://fedoraproject.org/wiki/Changes/XorgWithoutRootRights > > I'm working on making the X server run as a regular user. I actually have > this > pretty much working. > > So now it is time to start looking into some of the corner cases, or rather > at > the elephant in the room. What about non-kms drivers. We still have the vesa > driver around as most prominent example, and this is useful for some oddball > cards and for cards which are too new. > > I would like to not break the vesa driver, while still killing the suid bit > on > the X server. > > I'm currently thinking about implementing the following solution: > > 1) Make the X server a regular binary without any special rights > > 2) Implement a small suid root wrapper which gets the Xorg name and > launches the real Xorg binary. > > This wrapper will search for kms capable cards and if one is found drop > all root rights before executing the real Xorg binary. If no kms capable > cards are found it will execute the real Xorg binary with root rights. > > 3) Put this wrapper in a separate package, make it part of comps so it > will get installed by default, but don't depend on it in any packages > so that security sensitive users can simply do > "rpm -e xorg-x11-server-suid-helper" That will break badly for upgrades. If someone is using a ums driver, upgrades and nothing pulls in the helper he / she will end up with a broken setup. -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
