[PATCH weston] launcher: don't exit when user is not root

Pekka Paalanen ppaalanen at gmail.com
Tue Oct 31 07:29:11 UTC 2017 

On Mon, 30 Oct 2017 15:29:58 +0000
"Ucan, Emre (ADITG/ESB)" <eucan at de.adit-jv.com> wrote:

> Hi Pekka,
> 
> We are of course running graphical applications as a different user
> than weston user. Therefore, the security flaws, which you mentioned,
> are not applicable.

Yes. That is exactly what I meant that even if you somehow managed to
make it safe, it does not make it any more appropriate to give the
weston user these permissions directly.

> Correct me if I am wrong, but weston-launch and logind are using
> setuid(), which itself is a major security problem. Furthermore, IMO
> logind is not needed in an embedded system. The fancy tty and input
> handling for a multi-user environment is not needed in an embedded
> system.

They are setuid or equivalent, yes. They have been inteded to be that
from the very beginning, so their design should account for it.

logind is not just for multi-user, it is also for priviledge separation
- exactly the thing you have reinvented yourself with user accounts,
except your solution does not generalize, and no-one else uses,
develops, or audits it. No-one *could* even use it aside from using
your distribution, because it relies on user accounts setup and file
permissions rather than any particular piece of software.

Recovering from a Weston crash is another example where using an agent
is a good thing. Weston does have a SIGABRT/SIGSEGV handler that
attempts to restore the VT before raising SIGTRAP for debuggers, but
it's obviously not reliable.

> I do not understand why you are against this patch. The patch is only
> removing an unnecessary restriction of running weston directly. This
> patch is not setting any privileged rights to any non-root user :).
> Users of weston would still get errors if they do not set the rights
> accordingly.

This patch is promoting bad practice. Therefore I am against it.

> IMO, it is much explanatory to get an error like "Cannot open drm
> device" than "weston cannot run as non-root user".

That's true. The actual error messages you get when no launcher
succeeds are:

"fatal: drm backend should be run using weston-launch binary or as root"
"fatal: fbdev backend should be run using weston-launch binary or as root"

I would be quite happy to improve those error messages to be more
helpful. I believe they were written before logind support existed.

None of this still changes the fact that launcher-direct has been
written for root use only, as a debugging aid.


Thanks,
pq


> > -----Original Message-----
> > From: Pekka Paalanen [mailto:ppaalanen at gmail.com]
> > Sent: Montag, 30. Oktober 2017 16:02
> > To: Ucan, Emre (ADITG/ESB)
> > Cc: wayland-devel at lists.freedesktop.org
> > Subject: Re: [PATCH weston] launcher: don't exit when user is not
> > root
> > 
> > On Mon, 30 Oct 2017 15:20:42 +0100
> > Emre Ucan <eucan at de.adit-jv.com> wrote:
> >   
> > > weston does not need to be root.
> > > It requires adjusting ownership on the given tty device.
> > >
> > > If weston does not have proper rights, it will get
> > > an error at startup anyway.
> > >
> > > Signed-off-by: Emre Ucan <eucan at de.adit-jv.com>
> > > ---
> > >  libweston/launcher-direct.c | 3 ---
> > >  1 file changed, 3 deletions(-)
> > >
> > > diff --git a/libweston/launcher-direct.c
> > > b/libweston/launcher-direct.c index a5d3ee5..b05d214 100644
> > > --- a/libweston/launcher-direct.c
> > > +++ b/libweston/launcher-direct.c
> > > @@ -276,9 +276,6 @@ launcher_direct_connect(struct
> > > weston_launcher  
> > **out, struct weston_compositor *  
> > >  {
> > >  	struct launcher_direct *launcher;
> > >
> > > -	if (geteuid() != 0)
> > > -		return -EINVAL;
> > > -
> > >  	launcher = zalloc(sizeof(*launcher));
> > >  	if (launcher == NULL)
> > >  		return -ENOMEM;  
> > 
> > NAK, for the reasons explained in
> > https://lists.freedesktop.org/archives/wayland-devel/2017-
> > October/035582.html
> > 
> > To summarize, it's not only tty permissions but DRM and input
> > devices as well. If you set all these so that weston can actually
> > run without root using the direct launcher, then quite likely you
> > have opened some security holes.
> > 
> > The direct launcher is specifically meant for running weston as
> > root. Running as root is only for debugging and development, never
> > for production.
> > 
> > 
> > Thanks,
> > pq  

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.freedesktop.org/archives/wayland-devel/attachments/20171031/99afd081/attachment.sig>

More information about the wayland-devel mailing list