[gentoo-dev] x11-base/xorg-server: No longer enabling suid by default.

[gentoo-dev] x11-base/xorg-server: No longer enabling suid by default.

[Piotr Karbowski]

[-- Attachment #1.1: Type: text/plain, Size: 1888 bytes --]

Hi,

For years the xorg-server in Gentoo was defaulting to be running with
suid, even those that does not really require it, like systemd users and
those who runs elogind still end up with X as uid 0 because of +suid
default.

Times has changed, we now have +elogind in desktop profile, xorg-server
can no longer work without udev (due to input drivers), so there's no
real benefit for defaulting to suid.

There are 3 common ways the xorg-server is started:

- via XDM of some sort, usually forked as root, does not require suid,
systemd or elogind.
- via better XDM that can into logind interface, started as regular user
thanks to logind interface provided by either systemd or elogind.
- via `startx`, if systemd or elogind are present, can work without
suid, without them, suid is required.

Flipping current '+suid (-)elogind' as *default* USE flags on ebuild
level into '+elogind (-)suid' will not affect first two use cases, and
affect only 3rd one if neither systemd is used, or elogind is enabled.

What I'd like to go with is to enable elogind and disable suid on ebuild
level. The systemd profiles have use.mask for elogind, meaning it's not
a problem for them. and those who do not want to use any logind provider
can still opt-out out of it and go back to use suid. It shouldn't really
affect most of the users in any negative way, if anything, it will make
more users to not run Xorg as root, which is a positive aspect.

The alternative way would be to enable elogind on default profile,
however it would also affect those who run headless Gentoo, of which a
lot refuse to use any login manager.

So, dear people of Gentoo, what do you think about turning the current
possible opt-out of Xorg as root into possible opt-in for running Xorg
as root? People still will have a choice, just the defaults will be more
sane.

-- Piotr.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 618 bytes --]

Re: [gentoo-dev] x11-base/xorg-server: No longer enabling suid by default.

[Philip Webb]

200525 Piotr Karbowski wrote:
> There are 3 common ways the xorg-server is started:
 ...
> - via `startx`,

That's how I've always started Xorg.

> if systemd or elogind are present,

I don't use those.

> can work without suid, without them, suid is required.
 ...
> What do you think about turning the current possible opt-out of Xorg as root
> into possible opt-in for running Xorg as root ?
 ...

I'ld rather you didn't.

-- 
========================,,============================================
SUPPORT     ___________//___,   Philip Webb
ELECTRIC   /] [] [] [] [] []|   Cities Centre, University of Toronto
TRANSIT    `-O----------O---'   purslowatcadotinterdotnet

Re: [gentoo-dev] x11-base/xorg-server: No longer enabling suid by default.

[Piotr Karbowski]

[-- Attachment #1.1: Type: text/plain, Size: 443 bytes --]

Hi,

On 26/05/2020 00.34, Philip Webb wrote:
> I'ld rather you didn't.

You didn't provided any rationale for that. Running X as root is anti
pattern, especially nowadays when so little effort is required to not
have to run it as root.

You can either enable elogind, or you can enable suid if you want to
preserve your status quo, we're talking here about defaults that user
can change if he has a reason to do so.

-- Piotr.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 618 bytes --]

Re: [gentoo-dev] x11-base/xorg-server: No longer enabling suid by default.

[Philip Webb]

200526 Piotr Karbowski wrote:
> On 26/05/2020 00.34, Philip Webb wrote:
>> I'ld rather you didn't.
> You didn't provided any rationale for that.

I thought I did (smile).

> Running X as root is anti-pattern, especially nowadays
> when so little effort is required to not have to run it as root.

I've never run X as root : it's not the UNIX way.

> You can either enable elogind

Why would anyone want to abandon the long-successful UNIX method
& adopt some complex replacement ?

> or you can enable suid if you want to preserve your status quo,
> we're talking here about defaults
> that user can change if he has a reason to do so.

Yes, this is a regular problem which is unavoidable :
what should the default be ? -- I want the default to be
what it's always been & what matches basic UNIX principles.
I can add 'suid' to 'xorg-server' in  package.use ,
but why should I have to ? -- over to you for a rationale (smile).

Perhaps others can weigh in  CAD 0,02  (choose your currency) at a time.

-- 
========================,,============================================
SUPPORT     ___________//___,   Philip Webb
ELECTRIC   /] [] [] [] [] []|   Cities Centre, University of Toronto
TRANSIT    `-O----------O---'   purslowatcadotinterdotnet

Re: [gentoo-dev] x11-base/xorg-server: No longer enabling suid by default.

[Piotr Karbowski]

[-- Attachment #1.1: Type: text/plain, Size: 1619 bytes --]

Hi,

On 26/05/2020 09.23, Philip Webb wrote:
> 200526 Piotr Karbowski wrote:
>> On 26/05/2020 00.34, Philip Webb wrote:
>>> I'ld rather you didn't.
>> You didn't provided any rationale for that.
> 
> I thought I did (smile).
> 
>> Running X as root is anti-pattern, especially nowadays
>> when so little effort is required to not have to run it as root.
> 
> I've never run X as root : it's not the UNIX way.

I am not sure if you're trolling me here, or you genuinely not
understand that regardless of what user you execute `startx` on, if Xorg
have suid, it will start as root.

>> You can either enable elogind
> 
> Why would anyone want to abandon the long-successful UNIX method
> & adopt some complex replacement ?

I wouldn't call running X as root to be long successful UNIX method.
Back in the days there was no way to ran X without root, now there is.

>> or you can enable suid if you want to preserve your status quo,
>> we're talking here about defaults
>> that user can change if he has a reason to do so.
> 
> Yes, this is a regular problem which is unavoidable :
> what should the default be ? -- I want the default to be
> what it's always been & what matches basic UNIX principles.
> I can add 'suid' to 'xorg-server' in  package.use ,
> but why should I have to ? -- over to you for a rationale (smile).

I am not sure what kind of UNIX principles you're speaking about, the
default should be reasonable, running X as root is not, if someone want
to go against common sense and run X as root, he can do so, with
defaults to not run it as root.

-- Piotr.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 618 bytes --]

Re: [gentoo-dev] x11-base/xorg-server: No longer enabling suid by default.

[Haelwenn (lanodan) Monnier]

[2020-05-25 23:41:23+0200] Piotr Karbowski:
> There are 3 common ways the xorg-server is started:
> 
> - via XDM of some sort, usually forked as root, does not require suid,
> systemd or elogind.

Launching X as root and having it be suid is quite the same thing…

> - via better XDM that can into logind interface, started as regular user
> thanks to logind interface provided by either systemd or elogind.
> - via `startx`, if systemd or elogind are present, can work without
> suid, without them, suid is required.

btw I tried startx without suid a while ago, you can start it with your user 
in the right groups (input, video), which means that now every program that 
you run can snoop input devices and mess with your video outputs.
And X couldn't properly manage DRM master control because you could set 
the DRM master but not drop it (kernel bug but "linux maintains bugs" and 
there is no capabilities to fix it, which could allow to avoid extra groups).

I don't have something like elogind and likely will not as last time I looked 
at how it worked, it felt like reading about an unstable backdoor more than 
anything else.  I'd rather have proper permissions in the kernel.

> Flipping current '+suid (-)elogind' as *default* USE flags on ebuild
> level into '+elogind (-)suid' will not affect first two use cases, and
> affect only 3rd one if neither systemd is used, or elogind is enabled.
> 
> What I'd like to go with is to enable elogind and disable suid on ebuild
> level. The systemd profiles have use.mask for elogind, meaning it's not
> a problem for them. and those who do not want to use any logind provider
> can still opt-out out of it and go back to use suid. It shouldn't really
> affect most of the users in any negative way, if anything, it will make
> more users to not run Xorg as root, which is a positive aspect.
> 
> The alternative way would be to enable elogind on default profile,
> however it would also affect those who run headless Gentoo, of which a
> lot refuse to use any login manager.
> 
> So, dear people of Gentoo, what do you think about turning the current
> possible opt-out of Xorg as root into possible opt-in for running Xorg
> as root? People still will have a choice, just the defaults will be more
> sane.

I think you could have `xorg-server -suid` in the desktop profile, as you 
have elogingd there but on the ebuild level I'm not so sure.  
I'm not particularly against it but then should definitely come with a warning 
and it'll require users to notice the change and warning so they don't end 
up with a broken gentoo after an update.

Re: [gentoo-dev] x11-base/xorg-server: No longer enabling suid by default.

[Dale]

[-- Attachment #1: Type: text/plain, Size: 1702 bytes --]

Piotr Karbowski wrote:
> Hi,
>
> On 26/05/2020 00.34, Philip Webb wrote:
>> I'ld rather you didn't.
> You didn't provided any rationale for that. Running X as root is anti
> pattern, especially nowadays when so little effort is required to not
> have to run it as root.
>
> You can either enable elogind, or you can enable suid if you want to
> preserve your status quo, we're talking here about defaults that user
> can change if he has a reason to do so.
>
> -- Piotr.
>

As a user. 

[ebuild   R    ] x11-base/xorg-server-1.20.7:0/1.20.7::gentoo 
USE="elogind ipv6 libglvnd suid udev xorg -debug -dmx -doc -kdrive
-libressl -minimal (-selinux) -static-libs -systemd -unwind -wayland
-xcsecurity -xephyr -xnest -xvfb"

I don't recall the security issue that setting comes with.  As a user,
I'd rather defaults be secure and if I need to make a exception, then I
can do so locally.  I use elogin, used the other method until the recent
change, so I likely don't need it set this way.  If I understand this
correctly, I'm going to disable suid and use the more secure method.  I
think it is reasonable since most likely, most users would expect the
more secure method as a default and use a login tool that works with
that setting. Those who use some other method, such as manually starting
X, they still have the option to set it in whatever way works for them.
I do agree with the point in another post that there should be some sort
of notice about the change.  One that is easily seen since it can cause
problems. 

In the middle of typing, I made the change and ran into no problems so
far. I restarted the GUI and logged in just fine.

Just a users perspective. 

Dale

:-)  :-) 

[-- Attachment #2: Type: text/html, Size: 2303 bytes --]

Re: [gentoo-dev] x11-base/xorg-server: No longer enabling suid by default.

[Rich Freeman]

On Tue, May 26, 2020 at 4:12 AM Haelwenn (lanodan) Monnier
<contact@hacktivis.me> wrote:
>
> [2020-05-25 23:41:23+0200] Piotr Karbowski:
> > There are 3 common ways the xorg-server is started:
> >
> > - via XDM of some sort, usually forked as root, does not require suid,
> > systemd or elogind.
>
> Launching X as root and having it be suid is quite the same thing…
>

Sort-of.  An SUID X binary is a potential source of vulnerabilities
even if you never run it, since it is still sitting there and ready to
be exploited by somebody else.  It also gives a user more control over
how X is launched as root (command lines/control over stdin/out, etc).
When X is launched as root by something the user doesn't control it
reduces the attack surface somewhat.  And if you never launch X11 at
all it is just another unprivileged binary that can't do anything the
user can't already do with system calls.

In any case, setting suid on any binary is something that should only
be done if there is no other practical solution.  It certainly seems
like this shouldn't be the default, especially if it is available for
users to toggle if they wish.  We can always put out a news item when
this changes.  If elogind is already enabled by default on a profile,
then it doesn't make sense to ship X11 suid with that same profile
when it isn't necessary.  If a user wants to depart from the default
config to not use elogind then they can just change the USE flag on
xorg as well.

-- 
Rich