* [gentoo-user] Heads up if you start X with startx; xorg-server suid flag
@ 2012-12-31 6:28 Walter Dnes
2012-12-31 6:40 ` Volker Armin Hemmann
` (3 more replies)
0 siblings, 4 replies; 15+ messages in thread
From: Walter Dnes @ 2012-12-31 6:28 UTC (permalink / raw
To: Gentoo Users List
I ran an update on my netbook today, and couldn't fire up X. I
checked out Google on my desktop, and found the website
http://en.spontex.org/forum/thread/561/1/ which described the exact
problem, and more importantly, the solution.
* Up til now X has been installed suid by default. This is what allows
regular users to start X with startx <G>.
* According to /usr/portage/x11-base/xorg-server/ChangeLog USE="suid"
has been enabled as of December 20, 2012. If you do not enable it,
you will not be able to run startx as a regular user. xdm and other
X login managers will still work.
--
Walter Dnes <waltdnes@waltdnes.org>
I don't run "desktop environments"; I run useful applications
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [gentoo-user] Heads up if you start X with startx; xorg-server suid flag
2012-12-31 6:28 [gentoo-user] Heads up if you start X with startx; xorg-server suid flag Walter Dnes
@ 2012-12-31 6:40 ` Volker Armin Hemmann
2013-01-02 12:49 ` Neil Bothwick
2012-12-31 6:47 ` [gentoo-user] " Walter Dnes
` (2 subsequent siblings)
3 siblings, 1 reply; 15+ messages in thread
From: Volker Armin Hemmann @ 2012-12-31 6:40 UTC (permalink / raw
To: gentoo-user; +Cc: Walter Dnes
Am Montag, 31. Dezember 2012, 01:28:17 schrieb Walter Dnes:
> I ran an update on my netbook today, and couldn't fire up X. I
> checked out Google on my desktop, and found the website
> http://en.spontex.org/forum/thread/561/1/ which described the exact
> problem, and more importantly, the solution.
>
> * Up til now X has been installed suid by default. This is what allows
> regular users to start X with startx <G>.
>
> * According to /usr/portage/x11-base/xorg-server/ChangeLog USE="suid"
> has been enabled as of December 20, 2012. If you do not enable it,
> you will not be able to run startx as a regular user. xdm and other
> X login managers will still work.
what do we learn?
always use -v
always read the output
always check the meaning of changed/added flags.
--
#163933
^ permalink raw reply [flat|nested] 15+ messages in thread
* [gentoo-user] Re: Heads up if you start X with startx; xorg-server suid flag
2012-12-31 6:28 [gentoo-user] Heads up if you start X with startx; xorg-server suid flag Walter Dnes
2012-12-31 6:40 ` Volker Armin Hemmann
@ 2012-12-31 6:47 ` Walter Dnes
2012-12-31 7:57 ` Dale
2012-12-31 10:39 ` Nikos Chantziaras
2012-12-31 13:29 ` [gentoo-user] " covici
3 siblings, 1 reply; 15+ messages in thread
From: Walter Dnes @ 2012-12-31 6:47 UTC (permalink / raw
To: Gentoo Users List
On Mon, Dec 31, 2012 at 01:28:17AM -0500, wrote
>
> * According to /usr/portage/x11-base/xorg-server/ChangeLog USE="suid"
> has been enabled as of December 20, 2012. If you do not enable it,
> you will not be able to run startx as a regular user. xdm and other
> X login managers will still work.
Let me re-phrase that. A USE="suid" flag has been created. If you do
not enable it, you will not be able to run startx as a regular user.
--
Walter Dnes <waltdnes@waltdnes.org>
I don't run "desktop environments"; I run useful applications
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [gentoo-user] Re: Heads up if you start X with startx; xorg-server suid flag
2012-12-31 6:47 ` [gentoo-user] " Walter Dnes
@ 2012-12-31 7:57 ` Dale
2012-12-31 8:03 ` Alan McKinnon
0 siblings, 1 reply; 15+ messages in thread
From: Dale @ 2012-12-31 7:57 UTC (permalink / raw
To: gentoo-user
Walter Dnes wrote:
> On Mon, Dec 31, 2012 at 01:28:17AM -0500, wrote
>> * According to /usr/portage/x11-base/xorg-server/ChangeLog USE="suid"
>> has been enabled as of December 20, 2012. If you do not enable it,
>> you will not be able to run startx as a regular user. xdm and other
>> X login managers will still work.
> Let me re-phrase that. A USE="suid" flag has been created. If you do
> not enable it, you will not be able to run startx as a regular user.
>
I checked here and it must be enabled in my profile. I don't have it in
make.conf or any other portage file that I edit. I use the KDE profile
for those who are wondering. It may save time looking/checking it.
Dale
:-) :-)
--
I am only responsible for what I said ... Not for what you understood or how you interpreted my words!
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [gentoo-user] Re: Heads up if you start X with startx; xorg-server suid flag
2012-12-31 7:57 ` Dale
@ 2012-12-31 8:03 ` Alan McKinnon
2012-12-31 8:53 ` kwkhui
2012-12-31 16:33 ` Philip Webb
0 siblings, 2 replies; 15+ messages in thread
From: Alan McKinnon @ 2012-12-31 8:03 UTC (permalink / raw
To: gentoo-user
On Mon, 31 Dec 2012 01:57:02 -0600
Dale <rdalek1967@gmail.com> wrote:
> Walter Dnes wrote:
> > On Mon, Dec 31, 2012 at 01:28:17AM -0500, wrote
> >> * According to /usr/portage/x11-base/xorg-server/ChangeLog
> >> USE="suid" has been enabled as of December 20, 2012. If you do
> >> not enable it, you will not be able to run startx as a regular
> >> user. xdm and other X login managers will still work.
> > Let me re-phrase that. A USE="suid" flag has been created. If
> > you do not enable it, you will not be able to run startx as a
> > regular user.
> >
>
> I checked here and it must be enabled in my profile. I don't have it
> in make.conf or any other portage file that I edit. I use the KDE
> profile for those who are wondering. It may save time
> looking/checking it.
It's not in the profile, the xorg-server ebuild sets USE="suid" on by
default.
Most likely is that Walter has USE="-suid" in his make.conf and sets it
back on for things he's checked out personally. Meaning that in this
case one slipped through.
--
Alan McKinnon
alan.mckinnon@gmail.com
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [gentoo-user] Re: Heads up if you start X with startx; xorg-server suid flag
2012-12-31 8:03 ` Alan McKinnon
@ 2012-12-31 8:53 ` kwkhui
2012-12-31 9:29 ` Alan McKinnon
2012-12-31 12:38 ` Dale
2012-12-31 16:33 ` Philip Webb
1 sibling, 2 replies; 15+ messages in thread
From: kwkhui @ 2012-12-31 8:53 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: text/plain, Size: 854 bytes --]
On Mon, 31 Dec 2012 10:03:40 +0200
Alan McKinnon <alan.mckinnon@gmail.com> wrote:
> It's not in the profile, the xorg-server ebuild sets USE="suid" on by
> default.
>
> Most likely is that Walter has USE="-suid" in his make.conf and sets
> it back on for things he's checked out personally. Meaning that in
> this case one slipped through.
I suspect it is a USE="-* (blah)" rather than an explicit USE="-suid"
in the make.conf file.
One question though --- should the xorg-server ebuild be such that
IUSE="(blah) +suid" when using a hardened-profile? Also, checking
my PORTDIR, given the global description in use.desc (suid - Enable
setuid root program, with potential security risks), shouldn't the suid
use flag entries (net-analyzer/nagios-plugins:suid and
net-wireless/kismet:suid) be deleted from use.local.desc?
Kerwin.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 836 bytes --]
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [gentoo-user] Re: Heads up if you start X with startx; xorg-server suid flag
2012-12-31 8:53 ` kwkhui
@ 2012-12-31 9:29 ` Alan McKinnon
2012-12-31 14:06 ` kwkhui
2012-12-31 12:38 ` Dale
1 sibling, 1 reply; 15+ messages in thread
From: Alan McKinnon @ 2012-12-31 9:29 UTC (permalink / raw
To: gentoo-user
On Mon, 31 Dec 2012 16:53:47 +0800
kwkhui@hkbn.net wrote:
> On Mon, 31 Dec 2012 10:03:40 +0200
> Alan McKinnon <alan.mckinnon@gmail.com> wrote:
>
> > It's not in the profile, the xorg-server ebuild sets USE="suid" on
> > by default.
> >
> > Most likely is that Walter has USE="-suid" in his make.conf and sets
> > it back on for things he's checked out personally. Meaning that in
> > this case one slipped through.
>
> I suspect it is a USE="-* (blah)" rather than an explicit USE="-suid"
> in the make.conf file.
>
> One question though --- should the xorg-server ebuild be such that
> IUSE="(blah) +suid" when using a hardened-profile?
That already has a de-facto answer; USE="suid" must be on by default
as without it users cannot run a desktop (xorg-server does not yet run
without root permissions)
> Also, checking
> my PORTDIR, given the global description in use.desc (suid - Enable
> setuid root program, with potential security risks), shouldn't the
> suid use flag entries (net-analyzer/nagios-plugins:suid and
> net-wireless/kismet:suid) be deleted from use.local.desc?
I see this is being discussed on -dev ATM. Duncan has this to say:
"Promoting a flag to global does mean it gets a global description in
use.desc, but per package descriptions (as now maintained in the per-
package metadata.xml files, but there's a tree maintenance script that
keeps use.local.desc current based on the metadata files, to keep the
tools using it working) continue to be encouraged where they are
useful, as they can often provide much more detailed per-package
descriptions of what the flag actually does in that specific package,
than the global description can."
The current policy seems to be the sensible one: A global generic
description can exist, but more specific package-level descriptions are
also supported. I'd agree with that; a policy of "only global
descriptions" or "no global description if a local one exists" would be
overly restrictive and just cause problems. On the whole, we humans are
perfectly OK with the idea of over-loading concepts; this is not
something we have problems with.
--
Alan McKinnon
alan.mckinnon@gmail.com
^ permalink raw reply [flat|nested] 15+ messages in thread
* [gentoo-user] Re: Heads up if you start X with startx; xorg-server suid flag
2012-12-31 6:28 [gentoo-user] Heads up if you start X with startx; xorg-server suid flag Walter Dnes
2012-12-31 6:40 ` Volker Armin Hemmann
2012-12-31 6:47 ` [gentoo-user] " Walter Dnes
@ 2012-12-31 10:39 ` Nikos Chantziaras
2012-12-31 13:29 ` [gentoo-user] " covici
3 siblings, 0 replies; 15+ messages in thread
From: Nikos Chantziaras @ 2012-12-31 10:39 UTC (permalink / raw
To: gentoo-user
On 31/12/12 08:28, Walter Dnes wrote:
> I ran an update on my netbook today, and couldn't fire up X. I
> checked out Google on my desktop, and found the website
> http://en.spontex.org/forum/thread/561/1/ which described the exact
> problem, and more importantly, the solution.
>
> * Up til now X has been installed suid by default. This is what allows
> regular users to start X with startx <G>.
>
> * According to /usr/portage/x11-base/xorg-server/ChangeLog USE="suid"
> has been enabled as of December 20, 2012. If you do not enable it,
> you will not be able to run startx as a regular user. xdm and other
> X login managers will still work.
The "suid" USE flag is enabled by default in the xorg-server ebuild:
IUSE="${IUSE_SERVERS} ipv6 minimal nptl selinux +suid tslib +udev"
Since you disabled it on your own, you now get to pick up the pieces.
It's what you wanted.
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [gentoo-user] Re: Heads up if you start X with startx; xorg-server suid flag
2012-12-31 8:53 ` kwkhui
2012-12-31 9:29 ` Alan McKinnon
@ 2012-12-31 12:38 ` Dale
1 sibling, 0 replies; 15+ messages in thread
From: Dale @ 2012-12-31 12:38 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: text/plain, Size: 1156 bytes --]
kwkhui@hkbn.net wrote:
> On Mon, 31 Dec 2012 10:03:40 +0200
> Alan McKinnon <alan.mckinnon@gmail.com> wrote:
>
>> It's not in the profile, the xorg-server ebuild sets USE="suid" on by
>> default.
>>
>> Most likely is that Walter has USE="-suid" in his make.conf and sets
>> it back on for things he's checked out personally. Meaning that in
>> this case one slipped through.
>
> I suspect it is a USE="-* (blah)" rather than an explicit USE="-suid"
> in the make.conf file.
>
> One question though --- should the xorg-server ebuild be such that
> IUSE="(blah) +suid" when using a hardened-profile? Also, checking
> my PORTDIR, given the global description in use.desc (suid - Enable
> setuid root program, with potential security risks), shouldn't the suid
> use flag entries (net-analyzer/nagios-plugins:suid and
> net-wireless/kismet:suid) be deleted from use.local.desc?
>
> Kerwin.
I think you are right. I seem to recall that Walter is one of few that
does USE="-* blah" in make.conf. Seems he may have asked for this one.
Dale
:-) :-)
--
I am only responsible for what I said ... Not for what you understood or
how you interpreted my words!
[-- Attachment #2: Type: text/html, Size: 1978 bytes --]
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [gentoo-user] Heads up if you start X with startx; xorg-server suid flag
2012-12-31 6:28 [gentoo-user] Heads up if you start X with startx; xorg-server suid flag Walter Dnes
` (2 preceding siblings ...)
2012-12-31 10:39 ` Nikos Chantziaras
@ 2012-12-31 13:29 ` covici
3 siblings, 0 replies; 15+ messages in thread
From: covici @ 2012-12-31 13:29 UTC (permalink / raw
To: gentoo-user
Walter Dnes <waltdnes@waltdnes.org> wrote:
> I ran an update on my netbook today, and couldn't fire up X. I
> checked out Google on my desktop, and found the website
> http://en.spontex.org/forum/thread/561/1/ which described the exact
> problem, and more importantly, the solution.
>
> * Up til now X has been installed suid by default. This is what allows
> regular users to start X with startx <G>.
>
> * According to /usr/portage/x11-base/xorg-server/ChangeLog USE="suid"
> has been enabled as of December 20, 2012. If you do not enable it,
> you will not be able to run startx as a regular user. xdm and other
> X login managers will still work.
My suid is automatically set and cannot be change, so I am not sure what
you are seeing.
--
Your life is like a penny. You're going to lose it. The question is:
How do
you spend it?
John Covici
covici@ccs.covici.com
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [gentoo-user] Re: Heads up if you start X with startx; xorg-server suid flag
2012-12-31 9:29 ` Alan McKinnon
@ 2012-12-31 14:06 ` kwkhui
2012-12-31 14:42 ` Kevin Chadwick
0 siblings, 1 reply; 15+ messages in thread
From: kwkhui @ 2012-12-31 14:06 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: text/plain, Size: 1258 bytes --]
On Mon, 31 Dec 2012 11:29:12 +0200
Alan McKinnon <alan.mckinnon@gmail.com> wrote:
> On Mon, 31 Dec 2012 16:53:47 +0800
> kwkhui@hkbn.net wrote:
>
> > On Mon, 31 Dec 2012 10:03:40 +0200
> > Alan McKinnon <alan.mckinnon@gmail.com> wrote:
> >
> > > It's not in the profile, the xorg-server ebuild sets USE="suid" on
> > > by default.
> > >
> > > Most likely is that Walter has USE="-suid" in his make.conf and
> > > sets it back on for things he's checked out personally. Meaning
> > > that in this case one slipped through.
> >
> > I suspect it is a USE="-* (blah)" rather than an explicit
> > USE="-suid" in the make.conf file.
> >
> > One question though --- should the xorg-server ebuild be such that
> > IUSE="(blah) +suid" when using a hardened-profile?
>
> That already has a de-facto answer; USE="suid" must be on by default
> as without it users cannot run a desktop (xorg-server does not yet run
> without root permissions)
But(!) if one uses a login manager, xorg server would only be ever be
run by root, right? Hence the use flag rather than a must like, e.g.,
sys-apps/shadow (and the question whether the dangerous suid should be
set in desktop profiles instead of default on even for hardened).
Kerwin.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 836 bytes --]
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [gentoo-user] Re: Heads up if you start X with startx; xorg-server suid flag
2012-12-31 14:06 ` kwkhui
@ 2012-12-31 14:42 ` Kevin Chadwick
0 siblings, 0 replies; 15+ messages in thread
From: Kevin Chadwick @ 2012-12-31 14:42 UTC (permalink / raw
To: gentoo-user
On Mon, 31 Dec 2012 22:06:00 +0800
kwkhui@hkbn.net wrote:
> > That already has a de-facto answer; USE="suid" must be on by default
> > as without it users cannot run a desktop (xorg-server does not yet
> > run without root permissions)
I use some hackery to run startx on some systems as a normal user on
linux and without suid. The only important things that break on these
systems is hotplugging mice etc. and which could be quite easily fixed
if it was worth the time. I've found a log out triggering a relaunch
good enough with 0 complaints for now.
>
> But(!) if one uses a login manager, xorg server would only be ever be
> run by root, right?
On Linux maybe but the default on OpenBSD is for X to run as the X11
user and xdm to run as root.
> Hence the use flag rather than a must like, e.g.,
> sys-apps/shadow (and the question whether the dangerous suid should be
> set in desktop profiles instead of default on even for hardened).
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [gentoo-user] Re: Heads up if you start X with startx; xorg-server suid flag
2012-12-31 8:03 ` Alan McKinnon
2012-12-31 8:53 ` kwkhui
@ 2012-12-31 16:33 ` Philip Webb
2012-12-31 16:44 ` Bruce Hill
1 sibling, 1 reply; 15+ messages in thread
From: Philip Webb @ 2012-12-31 16:33 UTC (permalink / raw
To: gentoo-user
> Walter Dnes Mon, Dec 31, 2012 at 01:28:17AM -0500, wrote:
>> * According to /usr/portage/x11-base/xorg-server/ChangeLog
>> USE="suid" has been created as of December 20, 2012.
>> If you do not enable it, you will not be able to run startx
>> as a regular user. xdm and other X login managers will still work.
Thanks ! -- I'm another eccentric who starts the USE list with ' -* '.
Once alerted, it's easy to add it to package.use .
--
========================,,============================================
SUPPORT ___________//___, Philip Webb
ELECTRIC /] [] [] [] [] []| Cities Centre, University of Toronto
TRANSIT `-O----------O---' purslowatchassdotutorontodotca
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [gentoo-user] Re: Heads up if you start X with startx; xorg-server suid flag
2012-12-31 16:33 ` Philip Webb
@ 2012-12-31 16:44 ` Bruce Hill
0 siblings, 0 replies; 15+ messages in thread
From: Bruce Hill @ 2012-12-31 16:44 UTC (permalink / raw
To: gentoo-user
On Mon, Dec 31, 2012 at 11:33:34AM -0500, Philip Webb wrote:
>
> Thanks ! -- I'm another eccentric who starts the USE list with ' -* '.
> Once alerted, it's easy to add it to package.use .
I'm more eccentric
USE_ORDER="env:pkg:conf:pkginternal:repo:env.d"
--
Happy Penguin Computers >')
126 Fenco Drive ( \
Tupelo, MS 38801 ^^
support@happypenguincomputers.com
662-269-2706 662-205-6424
http://happypenguincomputers.com/
Don't top-post: http://en.wikipedia.org/wiki/Top_post#Top-posting
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [gentoo-user] Heads up if you start X with startx; xorg-server suid flag
2012-12-31 6:40 ` Volker Armin Hemmann
@ 2013-01-02 12:49 ` Neil Bothwick
0 siblings, 0 replies; 15+ messages in thread
From: Neil Bothwick @ 2013-01-02 12:49 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: text/plain, Size: 725 bytes --]
On Mon, 31 Dec 2012 07:40:29 +0100, Volker Armin Hemmann wrote:
> > * According to /usr/portage/x11-base/xorg-server/ChangeLog USE="suid"
> > has been enabled as of December 20, 2012. If you do not enable it,
> > you will not be able to run startx as a regular user. xdm and other
> > X login managers will still work.
>
> what do we learn?
> always use -v
That makes it harder to spot the changes and the new falgs are buried in
the noise of the unchanged ones.
> always read the output
> always check the meaning of changed/added flags.
And don't use USE="-*" unless you want to spend time fixing things like
this.
--
Neil Bothwick
WinErr 012: Window closed - Do not look inside
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]
^ permalink raw reply [flat|nested] 15+ messages in thread
end of thread, other threads:[~2013-01-02 13:09 UTC | newest]
Thread overview: 15+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-12-31 6:28 [gentoo-user] Heads up if you start X with startx; xorg-server suid flag Walter Dnes
2012-12-31 6:40 ` Volker Armin Hemmann
2013-01-02 12:49 ` Neil Bothwick
2012-12-31 6:47 ` [gentoo-user] " Walter Dnes
2012-12-31 7:57 ` Dale
2012-12-31 8:03 ` Alan McKinnon
2012-12-31 8:53 ` kwkhui
2012-12-31 9:29 ` Alan McKinnon
2012-12-31 14:06 ` kwkhui
2012-12-31 14:42 ` Kevin Chadwick
2012-12-31 12:38 ` Dale
2012-12-31 16:33 ` Philip Webb
2012-12-31 16:44 ` Bruce Hill
2012-12-31 10:39 ` Nikos Chantziaras
2012-12-31 13:29 ` [gentoo-user] " covici
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox