Bug#801401: Workarounds for rootless Xorg
Xorg without setuid is a good thing for security. But it's still possible to manage without systemd-logind. As outlined in http://hansdegoede.livejournal.com/14268.html, several privileges needed by xorg are moved to be managed in logind. Those privileges can be provided alternatively as follows: * Access to /dev/input/event* These are rw for input group by default. For security against keylogger, input group permission shouldn't be given to normal users. Therefore you can use setgid on /usr/lib/xorg/Xorg for input group. This is only intended for single-user scenario. * Access to /dev/dri/card* These are rw for video group by default. Add yourself to video group. * Privilege to drmSetMaster() If there is only one drm device no setup is needed. * Access to /dev/tty1 (for example) Need chown yourself /dev/tty1; first and startx with vt01 Also see the prior disscussion https://wiki.ubuntu.com/X/Rootless This is probably against the design goal of systemd and won't ever be supported. But my sysvinit setup with the above workarounds (not using xserver-xorg-legacy) is this: /etc/inittab: 1:2345:respawn:;chown xlz /dev/tty1;chgrp input /usr/lib/xorg/Xorg;chmod g+s /usr/lib/xorg/Xorg;exec su - xlz -c 'exec startx' ~/.xserverrc: #!/bin/sh exec /usr/bin/X -nolisten tcp "$@" vt01 which works fine. If you have multiple graphics cards or graphics driver does not support KMS then there will be more problems. Several annoyances in ~/.local/share/xorg/Xorg.0.log xf86EnableIOPorts: failed to set IOPL for I/O (Operation not permitted) This is a non-fatal error because "[KMS] drivers that don't need I/O access", and thus can be ignored. (EE) dbus-core: error connecting to system bus: org.freedesktop.DBus.Error.FileNotFound (Failed to connect to socket /var/run/dbus/system_bus_socket: No such file or directory) This spams Xorg.0.log every 10 seconds, and it is impossible to turn off without rebuilding xorg. Regards, Lingzhu
Bug#801401: Workarounds for rootless Xorg
On Fri, Oct 23, 2015 at 5:01 AM, Lingzhu Xiangwrote: * Privilege to drmSetMaster() If there is only one drm device no setup is needed. This is an incorrect understanding of what drmSetMaster() does. It is not setting a primary device, it's the process claiming the DRM_MASTER capability, which is required for things like modesetting and authorising other drm clients' access to the device. Claiming DRM_MASTER requires root.
Bug#801401: Workarounds for rootless Xorg
On Thu, Oct 22, 2015 at 7:28 PM, Christopher James Halse Rogerswrote: >> * Privilege to drmSetMaster() >> >> If there is only one drm device no setup is needed. > > > This is an incorrect understanding of what drmSetMaster() does. It is not > setting a primary device, it's the process claiming the DRM_MASTER > capability, which is required for things like modesetting and authorising > other drm clients' access to the device. > > Claiming DRM_MASTER requires root. OK, thank you for pointing out. I'm not very familiar with DRM. >From my limited reading, if there is no drm master, which is the single-user scenario I have been considering, the first fd to open("/dev/dri/card0") automatically becomes the drm master and obtains DRM_MASTER capability. drmSetMaster() requires DRM_ROOT_ONLY capability, not DRM_MASTER capability. None of DRM_IOCTL_{GEM,MODE}_* ioctls require DRM_ROOT_ONLY capability. Once becoming drm master, the intel driver is smart enough to be aware and to "[not] let go" therefore does not call drmSetMaster() anymore. So the above statement should be amended as "If there is only one drm user, no setup is needed." I'm not sure what applications are "other drm clients". Based on my limited testing, xrandr resolution change and vt switching work correctly. Regards, Lingzhu