Non-setuid Xorg
Summary
Remove the setuid bit from the /usr/bin/Xorg binary.
Owner
- Name: Andrew Lutomirski
- Email: luto@mit.edu
- Release notes owner:
Current status
- Targeted release: Fedora 21
- Last updated: 02:20, 9 January 2014 (UTC)
- Tracker bug: <will be assigned by the Wrangler>
Detailed Description
Traditionally, /usr/bin/Xorg is installed setuid-root. This change will remove the setuid bit so that Xorg will act as a normal daemon binary.
This change will have no effect on the Xorg's uid when started by a display manager.
Benefit to Fedora
Xorg is a perennial source of security bugs (for example [bug 1049569]). To try to exploit one of these bugs, an attacker at the console can try to attack their own X server (this would be mitigated by XorgWithoutRootRights) or they can just start a new server. Because /usr/bin/Xorg is setuid root, even turnoff off graphical mode (e.g. systemctl disable gdm
) does not prevent exploitation of Xorg bugs.
Even ignoring actual bugs, any user can seriously annoy a user at the console by running something like X :1
.
Scope
- Proposal owners:
* Write up the trivial change to xorg-x11-server.spec.
- Other developers:
* Mostly just testing to make sure that nothing breaks.
- Release engineering: nothing in particular
- Policies and guidelines: nothing in particular
Upgrade/compatibility impact
No special handling should be needed.
How To Test
- Make sure that it's still possible to start working sessions from all display managers.
- Think about non-display-manager use cases of X. For example, startx will no longer work.
User Experience
- Running
X
(orXorg
) from the terminal will no longer work for unprivileged users.
Dependencies
None
Contingency Plan
- Contingency mechanism: Revert the change to xorg-x11-server.spec and rebuild it.
- Contingency deadline: This feature is trivial to implement -- either ship it or don't.
- Blocks release? No
Documentation
There's nothing interesting here.