Changes/NonSetuidXorg

From FedoraProject

Jump to: navigation, search

Contents

Non-setuid Xorg

Summary

Remove the setuid bit from the /usr/bin/Xorg binary.

Owner

Current status

  • Targeted release: Fedora 21
  • Last updated: 02:20, 9 January 2014 (UTC)
  • Tracker bug: <will be assigned by the Wrangler>

Detailed Description

Traditionally, /usr/bin/Xorg is installed setuid-root. This change will remove the setuid bit so that Xorg will act as a normal daemon binary.

This change will have no effect on the Xorg's uid when started by a display manager.

Benefit to Fedora

Xorg is a perennial source of security bugs (for example [bug 1049569]). To try to exploit one of these bugs, an attacker at the console can try to attack their own X server (this would be mitigated by XorgWithoutRootRights) or they can just start a new server. Because /usr/bin/Xorg is setuid root, even turnoff off graphical mode (e.g. systemctl disable gdm) does not prevent exploitation of Xorg bugs.

Even ignoring actual bugs, any user can seriously annoy a user at the console by running something like X :1.

Scope

  • Proposal owners:
* Write up the trivial change to xorg-x11-server.spec.
  • Other developers:
* Mostly just testing to make sure that nothing breaks.
  • Release engineering: nothing in particular
  • Policies and guidelines: nothing in particular

Upgrade/compatibility impact

No special handling should be needed.

How To Test

  • Make sure that it's still possible to start working sessions from all display managers.
  • Think about non-display-manager use cases of X. For example, startx will no longer work.

User Experience

  • Running X (or Xorg) from the terminal will no longer work for unprivileged users.

Dependencies

None

Contingency Plan

  • Contingency mechanism: Revert the change to xorg-x11-server.spec and rebuild it.
  • Contingency deadline: This feature is trivial to implement -- either ship it or don't.
  • Blocks release? No

Documentation

There's nothing interesting here.

Release Notes