[PATCH weston] launcher: don't exit when user is not root

Pekka Paalanen ppaalanen at gmail.com
Tue Oct 31 07:49:01 UTC 2017 

On Mon, 30 Oct 2017 18:56:02 +0100
Michal Suchanek <hramrach at gmail.com> wrote:

> On 30 October 2017 at 16:02, Pekka Paalanen <ppaalanen at gmail.com> wrote:
> > On Mon, 30 Oct 2017 15:20:42 +0100
> > Emre Ucan <eucan at de.adit-jv.com> wrote:
> >  
> >> weston does not need to be root.
> >> It requires adjusting ownership on the given tty device.
> >>
> >> If weston does not have proper rights, it will get
> >> an error at startup anyway.
> >>
> >> Signed-off-by: Emre Ucan <eucan at de.adit-jv.com>
> >> ---
> >>  libweston/launcher-direct.c | 3 ---
> >>  1 file changed, 3 deletions(-)
> >>
> >> diff --git a/libweston/launcher-direct.c b/libweston/launcher-direct.c
> >> index a5d3ee5..b05d214 100644
> >> --- a/libweston/launcher-direct.c
> >> +++ b/libweston/launcher-direct.c
> >> @@ -276,9 +276,6 @@ launcher_direct_connect(struct weston_launcher **out, struct weston_compositor *
> >>  {
> >>       struct launcher_direct *launcher;
> >>
> >> -     if (geteuid() != 0)
> >> -             return -EINVAL;
> >> -
> >>       launcher = zalloc(sizeof(*launcher));
> >>       if (launcher == NULL)
> >>               return -ENOMEM;  
> >
> > NAK, for the reasons explained in
> > https://lists.freedesktop.org/archives/wayland-devel/2017-October/035582.html
> >
> > To summarize, it's not only tty permissions but DRM and input devices
> > as well.  
> 
> DRM and input is supposed to be accessible by console user on desktop systems.

Hi Michal,

thanks for your concern, but I believe the world has moved on. We have
a much better model with an agent like logind now.

That old approach had the inherent security issues which I assume have
discouraged its use and encouraged looking for better alternatives.

> Ever heard of rootless X?

Yes. I believe it uses logind now.

> Any user on the console should be able to randomly decide to run a GUI
> server without any special privileges.

Presuming yes, then that is what logind or another agent like
weston-launch allows. They also make it harder for you to shoot
yourself in the foot by e.g. running two display servers on the same
devices simultaneously.

> This can be set up by logind or it can be hardcoded by the
> administrator to a particular user. Whatever the case just running the
> GUI server should work without issues when permissions are set up
> correctly.

It can be done by setting up user permissions. That does not mean it is
the best available solution.

> > If you set all these so that weston can actually run without
> > root using the direct launcher, then quite likely you have opened some
> > security holes.
> >
> > The direct launcher is specifically meant for running weston as root.
> > Running as root is only for debugging and development, never for
> > production.  
> 
> If you can run it as root you can run it as any user with sufficient
> permissions.
> 
> The security implications of different setups should be the concern of
> the system administrator and not launcher-direct.

I will still refuse to take in code that promotes bad practices where I
see it. Enforcement in code is always more powerful than documentation
saying one should not do this.


Thanks,
pq
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.freedesktop.org/archives/wayland-devel/attachments/20171031/7278cbe1/attachment.sig>

More information about the wayland-devel mailing list