From Fedora Project Wiki

Xorg without root rights

Summary

The Xorg xserver is a large piece of software which currently runs as root, making it a potential vector for attacks against the system. With recent changes made to systemd-logind it is possible for the xserver to let systemd-logind do device management for it, at which point the xserver will no longer need root rights. Initially this will likely be implemented as the xserver dropping root rights early on.

Owner

  • Name: Hans de Goede, graphics team
  • Email: hdegoede@redhat.com
  • Release notes owner:

Current status

  • Targeted release: Fedora 21
  • Last updated: December 18th 2013
  • Tracker bug: <will be assigned by the Wrangler>

Detailed Description

Currently work is in progress upstream to add systemd-logind integration to the xserver, this is expected to land for 1.16, which is expected to be the xserver with which Fedora 21 will ship. In order for the xserver to be able to run as a systemd-logind session controller it will need to be started inside a (pam) user-session, this will require changes to apps starting the xserver, specifically to display-managers such as gdm.

Benefit to Fedora

Having the xserver not run as root reduces Fedora's attack surface.

Scope

In order for the xserver to be able to run as a systemd-logind session controller it will need to be started inside a (pam) user-session, this will require changes to apps starting the xserver, specifically to display-managers such as gdm. This is already being coordinated with gdm and other display-managers. For Fedora 21 there likely will be a fallback mode where the xserver will do the device-management itself when not started from a display-manager which starts it inside a user-session.

  • Proposal owners:

Make the xserver run properly as non-root, or drop root rights early on

  • Other developers:

Display manager developers may need to make changes to how the xserver is started, so that it always is started inside a user session. Note this change is also necessary for display managers which want to support wayland, as wayland must always be started like this.

  • Release engineering: N/A
  • Policies and guidelines: N/A

Upgrade/compatibility impact

This should not need any special handling in the upgrade path.

How To Test

1) Install Fedora 21, boot it to the graphical login screen and log in. 2) do "ps aux" notice Xorg is not running as root 3) Use the graphical environment normally, including fast user switching, etc. Everything should work as before.

User Experience

The user experience will be unchanged

Dependencies

This requires display managers, Initial Setup and Anaconda to be modified to properly start Xorg in a user session.

Status:

  1. Xorg server and driver changes, server code mostly upstream, drivers wip: 60%
  2. display managers, per product / spin:
    1. Desktop product: gdm, Ray Strode is working on this: ?%
    2. KDE spin: ssdm, Martin Bříza is working on this: ?%
    3. XFCE spin: ?, contacted Christoph Wickert about this: %?
    4. LXDE spin: ?, contacted Christoph Wickert about this: %?
    5. Mate spin: ?, contacted Dan Mashal about this: %?
  3. anaconda and initial-setup, contacted the anaconda-team about this

Contingency Plan

  • Contingency mechanism:
  1. If the necessary Xorg or anaconda + initial setup changes are not ready in time we will keep running Xorg as root
  2. Xorg upstream will come with a suid-root helper to keep things working with non kms drivers, its detection if root is needed can be overwritten by a config-file, if not all dms are ready, we can flip the helpers default to keep the xserver running as root by default, and spins which are ready can override this from the config file so that they do get the benefits (or we could put the burden on the not ready spins to drop a config file forcing running as root).
  • Contingency deadline: Beta freeze
  • Blocks release? No

Documentation

TODO

Release Notes

TODO