Re: non root X
On 08/07/2009 05:47 PM, Dave Airlie wrote: On Fri, 2009-08-07 at 16:42 -0400, Casey Dahlin wrote: On 08/06/2009 01:26 AM, Dave Airlie wrote: On Mon, 2009-08-03 at 15:08 +0530, Rahul Sundaram wrote: Hi A few days back I ran into http://lists.x.org/archives/xorg-devel/2009-July/001293.html I am wondering, since we are already using KMS in most places in Fedora, how far are we from achieving this by default in a Fedora release? non-root X is a big security hole at the moment, and until we get revoke() support in the kernel, we can probably move X to running as a special user, and maybe once we get revoke to running as the real user. However it doesn't solve the issue how we know we need or don't need root since X only figures out what graphics drivers are needed after starting, so if you needed a non-kms gpu driver we wouldn't know until after we'd started as non-root. Dave. Why can't we just start as root or with the setuid bit, and use the standard set*uid() calls to drop what we don't need once we know what we're doing? We have to undo some stuff when X exits. Dave. I meant start as setuid, then determine if root was necessary at all. If it is, keep running as root for the duration. If not, drop privileges. --CJD -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: non root X
On 08/06/2009 01:26 AM, Dave Airlie wrote: On Mon, 2009-08-03 at 15:08 +0530, Rahul Sundaram wrote: Hi A few days back I ran into http://lists.x.org/archives/xorg-devel/2009-July/001293.html I am wondering, since we are already using KMS in most places in Fedora, how far are we from achieving this by default in a Fedora release? non-root X is a big security hole at the moment, and until we get revoke() support in the kernel, we can probably move X to running as a special user, and maybe once we get revoke to running as the real user. However it doesn't solve the issue how we know we need or don't need root since X only figures out what graphics drivers are needed after starting, so if you needed a non-kms gpu driver we wouldn't know until after we'd started as non-root. Dave. Why can't we just start as root or with the setuid bit, and use the standard set*uid() calls to drop what we don't need once we know what we're doing? --CJD -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: non root X
On Fri, 2009-08-07 at 16:42 -0400, Casey Dahlin wrote: On 08/06/2009 01:26 AM, Dave Airlie wrote: On Mon, 2009-08-03 at 15:08 +0530, Rahul Sundaram wrote: Hi A few days back I ran into http://lists.x.org/archives/xorg-devel/2009-July/001293.html I am wondering, since we are already using KMS in most places in Fedora, how far are we from achieving this by default in a Fedora release? non-root X is a big security hole at the moment, and until we get revoke() support in the kernel, we can probably move X to running as a special user, and maybe once we get revoke to running as the real user. However it doesn't solve the issue how we know we need or don't need root since X only figures out what graphics drivers are needed after starting, so if you needed a non-kms gpu driver we wouldn't know until after we'd started as non-root. Dave. Why can't we just start as root or with the setuid bit, and use the standard set*uid() calls to drop what we don't need once we know what we're doing? We have to undo some stuff when X exits. Dave. -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: non root X
On Thu, 2009-08-06 at 01:36 -0400, Ben Boeckel wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dave Airlie wrote: On Mon, 2009-08-03 at 15:08 +0530, Rahul Sundaram wrote: Hi A few days back I ran into http://lists.x.org/archives/xorg-devel/2009-July/001293.html I am wondering, since we are already using KMS in most places in Fedora, how far are we from achieving this by default in a Fedora release? non-root X is a big security hole at the moment, and until we get revoke() support in the kernel, we can probably move X to running as a special user, and maybe once we get revoke to running as the real user. However it doesn't solve the issue how we know we need or don't need root since X only figures out what graphics drivers are needed after starting, so if you needed a non-kms gpu driver we wouldn't know until after we'd started as non-root. Dave. Could permissions be raised temporarily? PolicyKit with (defaulted) auto-approve to load an appropriate driver? Maybe we could do something with SELinux, but I don't think we can do anything without getting revoke. or maybe some process capabilties if such things worked. Dave. -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: non root X
On Fri, 2009-08-07 at 05:04 +1000, Dave Airlie wrote: On Thu, 2009-08-06 at 01:36 -0400, Ben Boeckel wrote: Could permissions be raised temporarily? PolicyKit with (defaulted) auto-approve to load an appropriate driver? Maybe we could do something with SELinux, but I don't think we can do anything without getting revoke. or maybe some process capabilties if such things worked. SELinux, as a rule, does not grant rights, only removes them. - ajax signature.asc Description: This is a digitally signed message part -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: non root X
Quoting Dave Airlie (airl...@redhat.com): On Thu, 2009-08-06 at 01:36 -0400, Ben Boeckel wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dave Airlie wrote: On Mon, 2009-08-03 at 15:08 +0530, Rahul Sundaram wrote: Hi A few days back I ran into http://lists.x.org/archives/xorg-devel/2009-July/001293.html I am wondering, since we are already using KMS in most places in Fedora, how far are we from achieving this by default in a Fedora release? non-root X is a big security hole at the moment, and until we get revoke() support in the kernel, we can probably move X to running as a special user, and maybe once we get revoke to running as the real user. However it doesn't solve the issue how we know we need or don't need root since X only figures out what graphics drivers are needed after starting, so if you needed a non-kms gpu driver we wouldn't know until after we'd started as non-root. Dave. Could permissions be raised temporarily? PolicyKit with (defaulted) auto-approve to load an appropriate driver? Maybe we could do something with SELinux, but I don't think we can do anything without getting revoke. or maybe some process capabilties if such things worked. The non-kms drivers could carry fe=on,fI=CAP_SYS_RAWIO (or whatever they need) and userids or groups allowed to run X could get pI=CAP_SYS_RAWIO at login through pam_cap.so. If you also make the x driver setuid-root, then on filesystems (like NFS) or kernels which don't support file capabilities, it'll run setuid root as it does now, while if file caps are supported then it should run as the calling user with just the granted capabilities. -serge -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: non root X
On Thu, 2009-08-06 at 14:50 -0500, Serge E. Hallyn wrote: Quoting Dave Airlie (airl...@redhat.com): Maybe we could do something with SELinux, but I don't think we can do anything without getting revoke. or maybe some process capabilties if such things worked. The non-kms drivers could carry fe=on,fI=CAP_SYS_RAWIO (or whatever they need) and userids or groups allowed to run X could get pI=CAP_SYS_RAWIO at login through pam_cap.so. If you also make the x driver setuid-root, then on filesystems (like NFS) or kernels which don't support file capabilities, it'll run setuid root as it does now, while if file caps are supported then it should run as the calling user with just the granted capabilities. It doesn't work like that. Drivers are DSOs, not executables. You don't get capabilities magically blessed into your executable just because you dlopen()d a DSO that has them set. Also, having actually done the audit for this, the set of capabilities the X server would need to run with restricted-caps is essentially equivalent to root in the first place. SYS_RAWIO + SYS_ADMIN + DAC_OVERRIDE plus some others I'm forgetting. Really not a solution. - ajax signature.asc Description: This is a digitally signed message part -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: non root X
Quoting Adam Jackson (a...@redhat.com): On Thu, 2009-08-06 at 14:50 -0500, Serge E. Hallyn wrote: Quoting Dave Airlie (airl...@redhat.com): Maybe we could do something with SELinux, but I don't think we can do anything without getting revoke. or maybe some process capabilties if such things worked. The non-kms drivers could carry fe=on,fI=CAP_SYS_RAWIO (or whatever they need) and userids or groups allowed to run X could get pI=CAP_SYS_RAWIO at login through pam_cap.so. If you also make the x driver setuid-root, then on filesystems (like NFS) or kernels which don't support file capabilities, it'll run setuid root as it does now, while if file caps are supported then it should run as the calling user with just the granted capabilities. It doesn't work like that. Drivers are DSOs, not executables. You drat -serge -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: non root X
On Mon, 2009-08-03 at 15:08 +0530, Rahul Sundaram wrote: Hi A few days back I ran into http://lists.x.org/archives/xorg-devel/2009-July/001293.html I am wondering, since we are already using KMS in most places in Fedora, how far are we from achieving this by default in a Fedora release? non-root X is a big security hole at the moment, and until we get revoke() support in the kernel, we can probably move X to running as a special user, and maybe once we get revoke to running as the real user. However it doesn't solve the issue how we know we need or don't need root since X only figures out what graphics drivers are needed after starting, so if you needed a non-kms gpu driver we wouldn't know until after we'd started as non-root. Dave. -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: non root X
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dave Airlie wrote: On Mon, 2009-08-03 at 15:08 +0530, Rahul Sundaram wrote: Hi A few days back I ran into http://lists.x.org/archives/xorg-devel/2009-July/001293.html I am wondering, since we are already using KMS in most places in Fedora, how far are we from achieving this by default in a Fedora release? non-root X is a big security hole at the moment, and until we get revoke() support in the kernel, we can probably move X to running as a special user, and maybe once we get revoke to running as the real user. However it doesn't solve the issue how we know we need or don't need root since X only figures out what graphics drivers are needed after starting, so if you needed a non-kms gpu driver we wouldn't know until after we'd started as non-root. Dave. Could permissions be raised temporarily? PolicyKit with (defaulted) auto-approve to load an appropriate driver? - --Ben (not an X/PolicyKit/kernel hacker) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkp6a/MACgkQiPi+MRHG3qS4LQCgisF3c37SJLn70JH8+IrAQ8tY 3GUAoL9joLSIWENC02z8tOq4c8fZijFB =Sv5U -END PGP SIGNATURE- -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
non root X
Hi A few days back I ran into http://lists.x.org/archives/xorg-devel/2009-July/001293.html I am wondering, since we are already using KMS in most places in Fedora, how far are we from achieving this by default in a Fedora release? Rahul -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list