Non-setuid Xorg

Summary

Remove the setuid bit from the /usr/bin/Xorg binary.

Owner

• Name: Andrew Lutomirski
• Email: luto@mit.edu
• Release notes owner:

Current status

• Targeted release: Fedora 21
• Last updated: 02:20, 9 January 2014 (UTC)
• Tracker bug: <will be assigned by the Wrangler>

Detailed Description

Traditionally, /usr/bin/Xorg is installed setuid-root. This change will remove the setuid bit so that Xorg will act as a normal daemon binary.

This change will have no effect on the Xorg's uid when started by a display manager.

Benefit to Fedora

Xorg is a perennial source of security bugs (for example [bug 1049569]). To try to exploit one of these bugs, an attacker at the console can try to attack their own X server (this would be mitigated by XorgWithoutRootRights) or they can just start a new server. Because /usr/bin/Xorg is setuid root, even turnoff off graphical mode (e.g. systemctl disable gdm) does not prevent exploitation of Xorg bugs.

Even ignoring actual bugs, any user can seriously annoy a user at the console by running something like X :1.

Scope

• Proposal owners:

* Write up the trivial change to xorg-x11-server.spec.

• Other developers:

* Mostly just testing to make sure that nothing breaks.

• Release engineering: nothing in particular

• Policies and guidelines: nothing in particular

Upgrade/compatibility impact

No special handling should be needed.

How To Test

• Make sure that it's still possible to start working sessions from all display managers.
• Think about non-display-manager use cases of X. For example, startx will no longer work.

User Experience

• Running X (or Xorg) from the terminal will no longer work for unprivileged users.

Dependencies

None

Contingency Plan

• Contingency mechanism: Revert the change to xorg-x11-server.spec and rebuild it.
• Contingency deadline: This feature is trivial to implement -- either ship it or don't.
• Blocks release? No

Documentation

There's nothing interesting here.

Release Notes