Hi,
On 01/09/2014 12:09 AM, Andrew Lutomirski wrote:
On Wed, Jan 8, 2014 at 2:58 PM, Peter Hutterer <peter.hutte...@who-t.net> wrote:
On Wed, Jan 08, 2014 at 01:14:08PM -0800, Andrew Lutomirski wrote:
/usr/bin/Xorg is, and has been, setuid-root just about forever. I'm
wondering whether there's any good reason for it to remain
setuid-root.
http://fedoraproject.org/wiki/Changes/XorgWithoutRootRights
This isn't actually the same thing. That proposal suggests running
Xorg as a non-root user. I'm proposing dropping the setuid bit on the
binary, which will have no effect on the uid of the running server.
(Of course, my suggestion will interact w/ that change, since the
process that starts Xorg will no longer be root.)
I don't think that that will be very useful, it will likely cause more
breakage then you think, as various display-managers may already start
Xorg inside the user session, at which point the suid bit is needed,
and as you already said it will break xinit and friends.
Besides that almost every Fedora system already has a copy of the X
server running as root ready to be exploited. The attack service of
X is not its cmdline or attacks through environment settings
(2 vectors your suggestion would close), but rather the gargantuan
API it exposes over the X protocol itself.
It may be that XorgWithoutRootRights will clear the setuid bit as well, though.
Hopefully, either clear it completely or drop root rights very early
on on startup.
Regards,
Hans
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
