Bug#801401: Workarounds for rootless Xorg

2015-10-22 Thread Lingzhu Xiang 
Xorg without setuid is a good thing for security. But it's still
possible to manage without systemd-logind.

As outlined in http://hansdegoede.livejournal.com/14268.html, several
privileges needed by xorg are moved to be managed in logind. Those
privileges can be provided alternatively as follows:

* Access to /dev/input/event*

These are rw for input group by default. For security against
keylogger, input group permission shouldn't be given to normal users.
Therefore you can use setgid on /usr/lib/xorg/Xorg for input group.
This is only intended for single-user scenario.

* Access to /dev/dri/card*

These are rw for video group by default. Add yourself to video group.

* Privilege to drmSetMaster()

If there is only one drm device no setup is needed.

* Access to /dev/tty1 (for example)

Need chown yourself /dev/tty1; first and startx with vt01

Also see the prior disscussion https://wiki.ubuntu.com/X/Rootless

This is probably against the design goal of systemd and won't ever be
supported. But my sysvinit setup with the above workarounds (not using
xserver-xorg-legacy) is this:

/etc/inittab:
1:2345:respawn:;chown xlz /dev/tty1;chgrp input
/usr/lib/xorg/Xorg;chmod g+s /usr/lib/xorg/Xorg;exec su - xlz -c 'exec
startx'

~/.xserverrc:
#!/bin/sh
exec /usr/bin/X -nolisten tcp "$@" vt01

which works fine. If you have multiple graphics cards or graphics
driver does not support KMS then there will be more problems.

Several annoyances in ~/.local/share/xorg/Xorg.0.log

xf86EnableIOPorts: failed to set IOPL for I/O (Operation not permitted)

This is a non-fatal error because "[KMS] drivers that don't need I/O
access", and thus can be ignored.

(EE) dbus-core: error connecting to system bus:
org.freedesktop.DBus.Error.FileNotFound (Failed to connect to socket
/var/run/dbus/system_bus_socket: No such file or directory)

This spams Xorg.0.log every 10 seconds, and it is impossible to turn
off without rebuilding xorg.

Regards,
Lingzhu

Bug#801401: Workarounds for rootless Xorg

2015-10-22 Thread Christopher James Halse Rogers 
On Fri, Oct 23, 2015 at 5:01 AM, Lingzhu Xiang 
 wrote:

* Privilege to drmSetMaster()

If there is only one drm device no setup is needed.


This is an incorrect understanding of what drmSetMaster() does. It is 
not setting a primary device, it's the process claiming the DRM_MASTER 
capability, which is required for things like modesetting and 
authorising other drm clients' access to the device.


Claiming DRM_MASTER requires root.

Bug#801401: Workarounds for rootless Xorg

2015-10-22 Thread Lingzhu Xiang 
On Thu, Oct 22, 2015 at 7:28 PM, Christopher James Halse Rogers
 wrote:
>> * Privilege to drmSetMaster()
>>
>> If there is only one drm device no setup is needed.
>
>
> This is an incorrect understanding of what drmSetMaster() does. It is not
> setting a primary device, it's the process claiming the DRM_MASTER
> capability, which is required for things like modesetting and authorising
> other drm clients' access to the device.
>
> Claiming DRM_MASTER requires root.

OK, thank you for pointing out. I'm not very familiar with DRM.

>From my limited reading, if there is no drm master, which is the
single-user scenario I have been considering, the first fd to
open("/dev/dri/card0") automatically becomes the drm master and
obtains DRM_MASTER capability. drmSetMaster() requires DRM_ROOT_ONLY
capability, not DRM_MASTER capability. None of DRM_IOCTL_{GEM,MODE}_*
ioctls require DRM_ROOT_ONLY capability. Once becoming drm master, the
intel driver is smart enough to be aware and to "[not] let go"
therefore does not call drmSetMaster() anymore.

So the above statement should be amended as "If there is only one drm
user, no setup is needed."

I'm not sure what applications are "other drm clients". Based on my
limited testing, xrandr resolution change and vt switching work
correctly.

Regards,
Lingzhu