[PATCH weston] launcher: don't exit when user is not root

Michal Suchanek hramrach at gmail.com
Tue Oct 31 16:42:28 UTC 2017 

On 31 October 2017 at 08:49, Pekka Paalanen <ppaalanen at gmail.com> wrote:
> On Mon, 30 Oct 2017 18:56:02 +0100
> Michal Suchanek <hramrach at gmail.com> wrote:
>
>> On 30 October 2017 at 16:02, Pekka Paalanen <ppaalanen at gmail.com> wrote:
>> > On Mon, 30 Oct 2017 15:20:42 +0100
>> > Emre Ucan <eucan at de.adit-jv.com> wrote:
>> >
>> >> weston does not need to be root.
>> >> It requires adjusting ownership on the given tty device.
>> >>
>> >> If weston does not have proper rights, it will get
>> >> an error at startup anyway.
>> >>
>> >> Signed-off-by: Emre Ucan <eucan at de.adit-jv.com>
>> >> ---
>> >>  libweston/launcher-direct.c | 3 ---
>> >>  1 file changed, 3 deletions(-)
>> >>
>> >> diff --git a/libweston/launcher-direct.c b/libweston/launcher-direct.c
>> >> index a5d3ee5..b05d214 100644
>> >> --- a/libweston/launcher-direct.c
>> >> +++ b/libweston/launcher-direct.c
>> >> @@ -276,9 +276,6 @@ launcher_direct_connect(struct weston_launcher **out, struct weston_compositor *
>> >>  {
>> >>       struct launcher_direct *launcher;
>> >>
>> >> -     if (geteuid() != 0)
>> >> -             return -EINVAL;
>> >> -
>> >>       launcher = zalloc(sizeof(*launcher));
>> >>       if (launcher == NULL)
>> >>               return -ENOMEM;
>> >
>> > NAK, for the reasons explained in
>> > https://lists.freedesktop.org/archives/wayland-devel/2017-October/035582.html
>> >
>> > To summarize, it's not only tty permissions but DRM and input devices
>> > as well.
>>
>> DRM and input is supposed to be accessible by console user on desktop systems.
>
> Hi Michal,
>
> thanks for your concern, but I believe the world has moved on. We have
> a much better model with an agent like logind now.

Why is the model better?

In the end the agent relies on permissions as well.

On systems with multiple users it makes sense to automate the task of
setting up the user permissions with an agent.

However, on an embedded system setting the permissions statically in
an installation image may make more sense. Then you have one less
thing to audit for security - namely the agent which you do not use.

>
> That old approach had the inherent security issues which I assume have
> discouraged its use and encouraged looking for better alternatives.
>
>> Ever heard of rootless X?
>
> Yes. I believe it uses logind now.

The documentation says otherwise.

>
>> Any user on the console should be able to randomly decide to run a GUI
>> server without any special privileges.
>
> Presuming yes, then that is what logind or another agent like
> weston-launch allows. They also make it harder for you to shoot
> yourself in the foot by e.g. running two display servers on the same
> devices simultaneously.

Which is what tracking service units is for as well - it should run
the server only once.

>
>> This can be set up by logind or it can be hardcoded by the
>> administrator to a particular user. Whatever the case just running the
>> GUI server should work without issues when permissions are set up
>> correctly.
>
> It can be done by setting up user permissions. That does not mean it is
> the best available solution.

It can be done by logind or weston-launch. It does not mean it is the
best solution.

>
>> > If you set all these so that weston can actually run without
>> > root using the direct launcher, then quite likely you have opened some
>> > security holes.
>> >
>> > The direct launcher is specifically meant for running weston as root.
>> > Running as root is only for debugging and development, never for
>> > production.
>>
>> If you can run it as root you can run it as any user with sufficient
>> permissions.
>>
>> The security implications of different setups should be the concern of
>> the system administrator and not launcher-direct.
>
> I will still refuse to take in code that promotes bad practices where I
> see it. Enforcement in code is always more powerful than documentation
> saying one should not do this.

And what exactly is the bad practice here?

Accessing devices that you have permission to access granted by the
system administrator but which are not set up as accessible to you by
policykit?

If you should not have access to some devices then the system
administrator should revoke your permissions. weston is a display
server. It is not a security audit software. So it has no business
auditing your security setup.

Thanks

Michal

More information about the wayland-devel mailing list