On 01/08/2019 20:44, Bruce Dubbs via blfs-dev wrote: > On 8/1/19 1:13 PM, DJ Lucas via blfs-dev wrote: >> On 8/1/19 11:40 AM, Bruce Dubbs via blfs-dev wrote: >> >>> On 8/1/19 10:49 AM, Pierre Labastie via blfs-dev wrote: >>>> On 31/07/2019 00:44, DJ Lucas via blfs-dev wrote: >>>>> On July 30, 2019 3:54:34 PM CDT, Pierre Labastie via blfs-dev >>>>> <[email protected]> wrote: >>>> >>>>> IIUC above, this is because we do not have elogind in LFS, so our first >>>>> build of dbus does not link to libsystemd (unlike in LFS-systemd). The >>>>> lack of dbus support is inconsequential in that configuration because we >>>>> are going to rebuild systemd later in BLFS. >>>>> >>>>>> There is also another thing, which bothers me: instructions for the >>>>>> xorg >>>>>> server are the same in both books (sysv/elogind and systemd). So, when >>>>>> we add >>>>>> --enable-install-setuid to xorg-server, we add it in both books. But I >>>>>> believed it was not needed in the systemd book... >>>>>> >>>>> That would be my doing as I had believed that they would be the same (and >>>>> still believe they should be, but my attempts to find the reason for the >>>>> differences have failed me thus far), so the two variants got merged >>>>> down. In fact, I think I am the only one who has demonstrated that a >>>>> rootless Xorg is even possible with elogind in our group. Five >>>>> consecutive builds, all slightly different, but logical (apparently only >>>>> to me), build orders. I'd gotten frustrated trying to track it down, I >>>>> was simply spinning my wheels, so I put it on the back burner (knowing >>>>> that a viable workaround exists). I'll be testing noveau on an existing >>>>> build next week to possibly eliminate hardware/drivers. I want to also >>>>> say that I've built entirely in chroot already, but I'm not 100% certain >>>>> on that. >>>>> >>>>> HTH >>>>> >>>> >>>> OK, I've found the error!!!! >>>> On the Xinit page, we have: >>>> --- >>>> sed -e '/$serverargs $vtarg/ s/serverargs/: #&/' \ >>>> -i startx.cpp >>>> --- >>>> for the Sysv/elogind book, while we do not have this for the systemd book. >>>> >>>> Removing the ": #" allows startx to run the server and the usual clients. >>>> >>>> I think even the suid-wrapper is not needed! (it drops privilege anyway if >>>> /dev/dri/card0 is KMS compatible). This can be tested by moving >>>> /usr/libexec/Xorg.wrap to /usr/libexec/Xorg.wrap.nouse, and trying again: >>>> startx still works. >>>> >>>> So we can: >>>> remove the sed on the Xinit page >>>> remove any enable-xxx-suid switch for xorg-server (well, maybe some >>>> drivers do >>>> need the wrapper, this has to be tested, but I do not have the hardware >>>> (intel >>>> driver works fine without the wrapper)). >>>> >>>> Pierre >>>> PS: I've spend almost 24 h running the server, xinit, with gdb, playing >>>> with >>>> xauth files, etc, before finding this stupid bug! >>>> >>> >>> I appreciate your hard work in finding the discrepancy. >>> >>> We added that sed on purpose so Xorg will come up on vt7 instead of >>> vt<current>. For most users it probably does not make a difference, but it >>> is convenient to be able to switch between vt1 and vt7 when debugging. >>> >>> My preference is to leave the sed and the suid alone in the sysv book, but >>> as an alternative we could just document the technique in a note. >>> >>> >> Apologies if this comes through twice, my work laptop had an old >> configuration, the first will probably get blocked. >> >> I don't think this is correct, but might be a clue. My build script for >> xinit has this sed, and it works. >> http://www.linuxfromscratch.org/~dj/mkbuild.sh/sources/buildscripts/xinit.sh >> >> The proposed sed also does nothing from what I can see (this from Arch, >> where it would not have been applied, but I can't get to my workstation from >> here): >> >> [dj@DJ-ARCH-02 ~]$ head -n 137 /usr/bin/startx | tail -n 3 >> if [ "$have_vtarg" = "no" ]; then >> serverargs="$serverargs $vtarg" >> fi >> [dj@DJ-ARCH-02 ~]$ sed -e '/$serverargs $vtarg/ s/serverargs/&/' >> /usr/bin/startx | head -n 137 | tail -n 3 >> if [ "$have_vtarg" = "no" ]; then >> serverargs="$serverargs $vtarg" >> fi >> >> If this is actually the issue, I must have successfully done something wrong >> multiple times (but I wouldn't put it past me at this point), but then my >> preference is for opposite Bruce's suggestion. IOW: put the commands on the >> xinit page to add the suid bit for Xorg along with the sed and put them >> inside of nodump tags.Like Bruce said, the majority of users won't care one >> way or the other, but avoiding a suid bit wherever possible is a good thing. > > Your sed does nothing: > > sed -e '/$serverargs $vtarg/ s/serverargs/&/' > > you need > > sed -e '/$serverargs $vtarg/ s/serverargs/: #&/' > > Which comments out that particular line, but adds the colon because it is in > an 'if' construct. > > I'm working on a modification to the book now. >
Just an example of why the suid bit on Xorg could be bad: - Build Xorg-server with --enable-install-setuid. - Start the machine and start working on the console - Have a user remote log in to the machine (for example with ssh) - Let that user type "/usr/libexec/Xorg", and see what happen... - Have the user type Ctrl-C so that you can work again on the console... There are a lot of ways to debug without the suid bit and the sed, for example: - sudo startx -- /usr/bin/X # run as root, so that there is no permission problem and # prevent startx from assigning a vt number. - startx > Xerror.log 2>&1 # then cat Xerror.log from an Xterm ... Note that the suid wrapper may be needed for some drivers (those with not support for KMS). Pierre -- http://lists.linuxfromscratch.org/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
