subject:"xserver\: do we still need Fopen\(\) \?"

Re: xserver: do we still need Fopen()

2024-02-09 Thread Alan Coopersmith


On 2/8/24 04:25, Enrico Weigelt, metux IT consult wrote:

On 08.02.24 00:19, Alan Coopersmith wrote:

If the Xserver is run as setuid root,


On which platforms is that still the case ?


Platforms which support users starting the Xserver directly
(startx/xinit/etc
instead of via systemd service or display manager) on devices without KMS
support.


Okay, but which are those, exactly ? Are those still supported at all ?


As I said before, I know Solaris is one.  I don't know which others.


A comprehensive list of still supported platforms would be great.


For the Xserver, I believe the list of supported OS'es is:

- BSD, including, but not limited to, FreeBSD, NetBSD, & OpenBSD,
   but not 386BSD or BSDi
- GNU Hurd
- Linux, but not Android
- MacOS, but not iOS/iPadOS/watchOS/etc.
- Solaris & illumos, but no longer OpenSolaris
- Windows, including CygWin and MinGW

which mostly matches the "X.Org OS ports" section of
https://gitlab.freedesktop.org/xorg/doc/xorg-docs/-/blob/master/MAINTAINERS
(the SCO bit in the maintainers file is out of date since xserver commit
 f28e48834e40c7901c2ef in 2010, or since X11R7, depending on how you look
 at it).

I don't know if anyone keeps track of minimum versions for any of these
either.  As the Solaris maintainer, I only actively make sure it works
on Solaris 11.4 (released 2018), but have only actively removed support
for OS releases before Solaris 8 (released in 2000) - though I should
probably clean up some more now since meson doesn't support OS versions
that old.

Not all of the servers build on all OS'es - for instance XWin & XQuartz
are limited to Windows and MacOS respectively.


Are you the Xserver maintainer for Solaris ?


I am one of them, I share the load with Niveditha Rau, who does most of
the work for packaging X in Solaris these days, while I do more of the
upstream work.


And does it need to run as root all the time, instead of after opening
some devices ?


It needs to run as root when opening the devices (both at startup and
when VT switching back to the server from another VT).


Does the device need to be re-opened (really another open()) call on VT
switch, or would it be sufficient to do it once early and later drop
privileges ?


Re-opened, since they're closed when we VT switch away.  And when not using
KMS, there's also IOPL manipulation to deal with.


We've got a local mechanism in the Solaris packages that takes a message
from gdm at login time and setuid's to the user that just logged in,
since without it, the X server doesn't know what uid to setuid to when
using a display manager (gdm/xdm/etc.) to login, but that's never gone
upstream.


Interesting, can you give us more detail ?


https://github.com/oracle/solaris-userland/blob/master/components/x11/xserver/xorg/sun-src/os/dtlogin.c
https://github.com/oracle/solaris-userland/blob/master/components/x11/xserver/xorg/patches/07-dtlogin-userinfo.patch
https://github.com/oracle/solaris-userland/blob/master/components/gnome/gdm/patches/0004-sdtlogin.patch

Presumably someone implementing it today would use Dbus instead of a
named pipe, but that didn't exist in 1995 when this was first created.

Alternatively, they'd just restart the X server as the new user after login
succeeds instead of just putting the user session on the same Xserver that
the login screen ran on, which is presumably what someone would need to do
for https://gitlab.freedesktop.org/xorg/xserver/-/issues/1632 .


Would it be possible to incorparate some special logic for things like
user-passed pathes (and permission checks)


I don't understand what you want to do there.


Oh, BTW, just seen that on WIN32, Fopen #define'd to fopen(), thus no
priv dropping at all. So can we assume the other targets
HAS_SAVED_IDS_AND_SETUID ?


That's what I did in
https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1266
I believe it was only pre-POSIX UNIX platforms that didn't support it,
and we've not supported any of those in the Xserver since at least the
time of the Imake->autoconf conversion in 2005 for X11R7.0, but they
definitely existed when the X server was created in the mid-80's.

--
-Alan Coopersmith- alan.coopersm...@oracle.com
 Oracle Solaris Engineering - https://blogs.oracle.com/solaris

Re: xserver: do we still need Fopen()

2024-02-08 Thread Enrico Weigelt, metux IT consult


On 08.02.24 13:41, tlaro...@kergis.com wrote:


I'm for example still using it this way (I'm mainly developing and I
don't always need a graphical interface and don't want to waste
permanently resources by using and administrating a display manager
for which I'm the sole and temporary user).

Not being able to do so would be, IMHO, a major step backward.


Agreed. Then let's officially define being able to start an Xserver
(with local graphics access) as an hard requirement (*1). At least on
Unix'oid platforms (probably not applicable to MacOS or Windows).

The interesting question is whether there are better ways than
setuid-root (on Xserver itself).

--mtx

*1) do we already have some spec of what features we support in the
long-term ? shall we write one ?

--
---
Hinweis: unverschlüsselte E-Mails können leicht abgehört und manipuliert
werden ! Für eine vertrauliche Kommunikation senden Sie bitte ihren
GPG/PGP-Schlüssel zu.
---
Enrico Weigelt, metux IT consult
Free software and Linux embedded engineering
i...@metux.net -- +49-151-27565287

Re: xserver: do we still need Fopen()

2024-02-08 Thread tlaronde

On Thu, Feb 08, 2024 at 01:25:24PM +0100, Enrico Weigelt, metux IT consult 
wrote:
> > > 
> > > On which platforms is that still the case ?
> > 
> > Platforms which support users starting the Xserver directly
> > (startx/xinit/etc
> > instead of via systemd service or display manager) on devices without KMS
> > support.
> 
> Okay, but which are those, exactly ? Are those still supported at all ?
> A comprehensive list of still supported platforms would be great.
> 
> > I know Solaris is one, since that's the one I work on,
> 
> hmm, and there's no other way around this ?

This is part of the X11 contract: startx(1) etc. are a way to add a
graphical interface as a user to any, at least Unix, node.

I'm for example still using it this way (I'm mainly developing and I
don't always need a graphical interface and don't want to waste 
permanently resources by using and administrating a display manager
for which I'm the sole and temporary user).

Not being able to do so would be, IMHO, a major step backward.
-- 
Thierry Laronde 
 http://www.kergis.com/
http://kertex.kergis.com/
Key fingerprint = 0FF7 E906 FBAF FE95 FD89  250D 52B1 AE95 6006 F40C

xserver: do we still need Fopen()

2024-02-08 Thread Enrico Weigelt, metux IT consult


On 08.02.24 00:19, Alan Coopersmith wrote:

Hi,


Does WIN32 still mean 32bit Windows or also more modern ones like
w10/w11 ?


I believe it's still defined for 64-bit Windows, as stated on
https://learn.microsoft.com/en-us/windows/win32/winprog64/additional-considerations
but I never code or build for Windows, so am not the best person to ask.


Me neither, also didn't have Windows for decades.

Any Windows dev here who can help out ?


If the Xserver is run as setuid root,


On which platforms is that still the case ?


Platforms which support users starting the Xserver directly
(startx/xinit/etc
instead of via systemd service or display manager) on devices without KMS
support.


Okay, but which are those, exactly ? Are those still supported at all ?
A comprehensive list of still supported platforms would be great.


I know Solaris is one, since that's the one I work on,


hmm, and there's no other way around this ?
Does it need the exec'ing code path, or is it fine with temporarily
dropping privs ?

Is being able to start the Xserver as plain user really an important
use case on those platforms ? Or maybe could an tiny suid wrapper (which
filters the args) also be sufficient ?

Are you the Xserver maintainer for Solaris ?


but I believe
even some Linux distros still do this - for instance, see the Note about
the "suid" USE flag on https://wiki.gentoo.org/wiki/Xorg/Guide .


That's strange. Back when I've been using Gentoo last time (must be over
a decade agao), I don't recall running it as suid-root.


And does it need to run as root all the time, instead of after opening
some devices ?


It needs to run as root when opening the devices (both at startup and
when VT switching back to the server from another VT).


Does the device need to be re-opened (really another open()) call on VT
switch, or would it be sufficient to do it once early and later drop
privileges ?


We've got a local mechanism in the Solaris packages that takes a message
from gdm at login time and setuid's to the user that just logged in,
since without it, the X server doesn't know what uid to setuid to when
using a display manager (gdm/xdm/etc.) to login, but that's never gone
upstream.


Interesting, can you give us more detail ?

Would it be possible to incorparate some special logic for things like
user-passed pathes (and permission checks)

By the way, I've long been wondering whether it would be better to run
the Xserver on entirely separate (possibly temporary) user - or let the
DM start an entirely new server instance (as the logged-in user) after
greeter is done. The second approach could even allow users to customize
server args (eg. whether to allow remote connections).


Yes, of course. But can't we just have an extra permission check ?


That would be more code and riskier to implement than the setuid method,
which just delegates to the kernel to be sure.


Ok, so we should leave the setuid code path (as long as Xserver still
needs to run as setuid-root) and lets focus on the exec'ing code path.

Oh, BTW, just seen that on WIN32, Fopen #define'd to fopen(), thus no
priv dropping at all. So can we assume the other targets
HAS_SAVED_IDS_AND_SETUID ?

According to meson scripts, anything based on
AT or SRV4 unix (BSD and as MacOS), as well as Linux do have it.


--mtx

--
---
Hinweis: unverschlüsselte E-Mails können leicht abgehört und manipuliert
werden ! Für eine vertrauliche Kommunikation senden Sie bitte ihren
GPG/PGP-Schlüssel zu.
---
Enrico Weigelt, metux IT consult
Free software and Linux embedded engineering
i...@metux.net -- +49-151-27565287

Re: xserver: do we still need Fopen() ?

2024-02-07 Thread Alan Coopersmith


On 2/5/24 06:41, Enrico Weigelt, metux IT consult wrote:

On 02.02.24 21:05, Alan Coopersmith wrote:

Hi,


I suspect for the OS'es that the xserver code builds on today, that
could be replaced by #ifndef WIN32, which would then allow the first
half of that #ifdef in Fopen to be deleted, leaving just the simpler
case, since Fopen is already not built for WIN32.


Does WIN32 still mean 32bit Windows or also more modern ones like
w10/w11 ?


I believe it's still defined for 64-bit Windows, as stated on
https://learn.microsoft.com/en-us/windows/win32/winprog64/additional-considerations
but I never code or build for Windows, so am not the best person to ask.


If the Xserver is run as setuid root,


On which platforms is that still the case ?


Platforms which support users starting the Xserver directly (startx/xinit/etc
instead of via systemd service or display manager) on devices without KMS
support.

I know Solaris is one, since that's the one I work on, but I believe
even some Linux distros still do this - for instance, see the Note about
the "suid" USE flag on https://wiki.gentoo.org/wiki/Xorg/Guide .


And does it need to run as root all the time, instead of after opening
some devices ?


It needs to run as root when opening the devices (both at startup and
when VT switching back to the server from another VT).

We've got a local mechanism in the Solaris packages that takes a message
from gdm at login time and setuid's to the user that just logged in,
since without it, the X server doesn't know what uid to setuid to when
using a display manager (gdm/xdm/etc.) to login, but that's never gone
upstream.


you don't want to let it read
files with root privs that are specified by a non-root user - that
way lies CVEs.


Yes, of course. But can't we just have an extra permission check ?


That would be more code and riskier to implement than the setuid method,
which just delegates to the kernel to be sure.

--
-Alan Coopersmith- alan.coopersm...@oracle.com
 Oracle Solaris Engineering - https://blogs.oracle.com/solaris

Re: xserver: do we still need Fopen() ?

2024-02-06 Thread Enrico Weigelt, metux IT consult


On 03.02.24 03:41, Alan Coopersmith wrote:


https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1266


great :)

I've almost had done it on my own.


--mtx

--
---
Hinweis: unverschlüsselte E-Mails können leicht abgehört und manipuliert
werden ! Für eine vertrauliche Kommunikation senden Sie bitte ihren
GPG/PGP-Schlüssel zu.
---
Enrico Weigelt, metux IT consult
Free software and Linux embedded engineering
i...@metux.net -- +49-151-27565287

Re: xserver: do we still need Fopen() ?

2024-02-05 Thread Enrico Weigelt, metux IT consult


On 02.02.24 21:05, Alan Coopersmith wrote:

Hi,


I suspect for the OS'es that the xserver code builds on today, that
could be replaced by #ifndef WIN32, which would then allow the first
half of that #ifdef in Fopen to be deleted, leaving just the simpler
case, since Fopen is already not built for WIN32.


Does WIN32 still mean 32bit Windows or also more modern ones like
w10/w11 ?


If the Xserver is run as setuid root,


On which platforms is that still the case ?

And does it need to run as root all the time, instead of after opening
some devices ?


you don't want to let it read
files with root privs that are specified by a non-root user - that
way lies CVEs.


Yes, of course. But can't we just have an extra permission check ?


I could imagine adding a build flag to the server
that said not to support running setuid, that would set a define
that skipped this code and instead enabled code to check issetugid()
on startup and instantly exit if it was true,


That seems indeed helpful also for alerting installations that still
do it even if not necessary anymore. Actually I'd enable it by default.


And is there still any need to run it as root at all ?


Yes.  Not every OS the X server runs on has KMS support for every device.
I don't know how to express that in a meson, autoconf, or #ifdef check
though.


Add an explicit option for that ?


--mtx

--
---
Hinweis: unverschlüsselte E-Mails können leicht abgehört und manipuliert
werden ! Für eine vertrauliche Kommunikation senden Sie bitte ihren
GPG/PGP-Schlüssel zu.
---
Enrico Weigelt, metux IT consult
Free software and Linux embedded engineering
i...@metux.net -- +49-151-27565287

Re: xserver: do we still need Fopen() ?

2024-02-02 Thread Alan Coopersmith


On 2/2/24 12:05, Alan Coopersmith wrote:

On 2/2/24 05:45, Enrico Weigelt, metux IT consult wrote:

Hello folks,

I wonder whether we still need the Fopen() function.

It's a funny and complicated way of loading a file with dropped privs
(by calling `cat` on that file !).


It only does the cat if HAS_SAVED_IDS_AND_SETEUID is not defined, and
that should be defined on all POSIX systems - though it looks like our
current check is:

#if defined(SVR4) || defined(__linux__) || defined(CSRG_BASED)
#define HAS_SAVED_IDS_AND_SETEUID
#endif

I suspect for the OS'es that the xserver code builds on today, that
could be replaced by #ifndef WIN32, which would then allow the first
half of that #ifdef in Fopen to be deleted, leaving just the simpler
case, since Fopen is already not built for WIN32.


https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1266

--
-Alan Coopersmith- alan.coopersm...@oracle.com
 Oracle Solaris Engineering - https://blogs.oracle.com/solaris

Re: xserver: do we still need Fopen() ?

2024-02-02 Thread Alan Coopersmith


On 2/2/24 05:45, Enrico Weigelt, metux IT consult wrote:

Hello folks,

I wonder whether we still need the Fopen() function.

It's a funny and complicated way of loading a file with dropped privs
(by calling `cat` on that file !).


It only does the cat if HAS_SAVED_IDS_AND_SETEUID is not defined, and
that should be defined on all POSIX systems - though it looks like our
current check is:

#if defined(SVR4) || defined(__linux__) || defined(CSRG_BASED)
#define HAS_SAVED_IDS_AND_SETEUID
#endif

I suspect for the OS'es that the xserver code builds on today, that
could be replaced by #ifndef WIN32, which would then allow the first
half of that #ifdef in Fopen to be deleted, leaving just the simpler
case, since Fopen is already not built for WIN32.


The only call site is LoadAuthorization() (auth.c) for loading the
Xauthority file (if one was passed to xserver via -auth arg). But this
doesn't make much sense to me: why should the xserver - if started as
root (but dropping privs) - be prevented from reading an xauth file ?


If the Xserver is run as setuid root, you don't want to let it read
files with root privs that are specified by a non-root user - that
way lies CVEs.  I could imagine adding a build flag to the server
that said not to support running setuid, that would set a define
that skipped this code and instead enabled code to check issetugid()
on startup and instantly exit if it was true, but I don't think anyone
has written a patch for that yet.  Distros who don't install setuid
could set that flag, those who do could leave it unset.


And do we still need the complicated exec'ing code path ?


As noted above, I don't think so.


And is there still any need to run it as root at all ?


Yes.  Not every OS the X server runs on has KMS support for every device.
I don't know how to express that in a meson, autoconf, or #ifdef check though.

--
-Alan Coopersmith- alan.coopersm...@oracle.com
 Oracle Solaris Engineering - https://blogs.oracle.com/solaris

Re: xserver: do we still need Fopen() ?

2024-02-02 Thread Adam Sampson

"Enrico Weigelt, metux IT consult"  writes:

> But this doesn't make much sense to me: why should the xserver - if
> started as root (but dropping privs) - be prevented from reading an
> xauth file ?

Maybe for NFS? Imagine (it's the late 90s and) you've got a workstation
running an X server as root, with home directories mounted from an NFS
server with root_squash enabled - if you started the server with -auth
/home/me/.Xauthority, the X server wouldn't be able to read it.

I expect most modern machines used the saved-IDs version of the code
rather than the cat version...

-- 
Adam Sampson

xserver: do we still need Fopen() ?

2024-02-02 Thread Enrico Weigelt, metux IT consult


Hello folks,

I wonder whether we still need the Fopen() function.

It's a funny and complicated way of loading a file with dropped privs
(by calling `cat` on that file !).

The only call site is LoadAuthorization() (auth.c) for loading the
Xauthority file (if one was passed to xserver via -auth arg). But this
doesn't make much sense to me: why should the xserver - if started as
root (but dropping privs) - be prevented from reading an xauth file ?
And do we still need the complicated exec'ing code path ?

And is there still any need to run it as root at all ?

Am I missing something ?

--mtx

--
---
Hinweis: unverschlüsselte E-Mails können leicht abgehört und manipuliert
werden ! Für eine vertrauliche Kommunikation senden Sie bitte ihren
GPG/PGP-Schlüssel zu.
---
Enrico Weigelt, metux IT consult
Free software and Linux embedded engineering
i...@metux.net -- +49-151-27565287

Re: xserver: do we still need Fopen()

Re: xserver: do we still need Fopen()

Re: xserver: do we still need Fopen()

xserver: do we still need Fopen()

Re: xserver: do we still need Fopen() ?

Re: xserver: do we still need Fopen() ?

Re: xserver: do we still need Fopen() ?

Re: xserver: do we still need Fopen() ?

Re: xserver: do we still need Fopen() ?

Re: xserver: do we still need Fopen() ?

xserver: do we still need Fopen() ?

11 matches

Site Navigation

Mail list logo

Footer information