Xserver needs to run as "root" on Linux / was: Re: [Xorg] Server side widgets

Sean Middleditch elanthis at awesomeplay.com
Tue Jul 13 08:30:03 PDT 2004 

On Tue, 2004-07-13 at 11:22, Jakub Piotr CÅ‚apa wrote:

> Some random thoughts:
> 
> What if somebody writes a local exploit? On what systems exposed to such 
> malicious users you allow them to run their own code? (ok... you could 
> possibly mimic the login screen in flash or sth. like that...)

It's impossible to stop users from running code.  If nothing else, you
can manually run ld-so with your binary as input.  Other than using
something like SELinux, which even then (given how sickeningly complex
it is for even its creators to configure properly on multi-purpose
machines) will likely have many holes.

> 
> What's wrong with currently available Ctrl-Alt-Backspace? It would kill 
> such a malicious session and you will be sure the thing that shows up on 
> the screen is same thing somebody with root access have set.

Nope.  I can switch to a text console and write a script that launches a
new X session with my fake login program in a loop.  kill the X server,
the script just relaunches it.  Again, no way to tell if it's my hack or
the real login server.

> 
> Basically we need something to kill everything that is running on the 
> current virtual terminal and respawn whatever there should be - thats a 
> better overall sollution. (it would probably require login managers to 
> be spawned by init and not allocating consoles by themselves, but that 
> could be a good idea anyway)

And then we have a minor security hole in that a user can switch to some
console another user might be using (but have locked) and kill
everything running there.  (And, before you ask, it is possible to turn
off the ctrl-alt-backspace to protect against this as well.)

> 
> Of course the problem is nonexistant if we login with some kind of a 
> token (or any other device used only to log in i.e. innaccessible to 
> nonroot programs).

Which is more expensive and difficult to setup than simply installing
your OS and having it's login system (relatively) secure by default. 
The more difficult it is to secure the machine by the administrator, the
less likely it is to be secure.  Such login devices are already
available, and high-security networks use them.  Login protections like
we're discussing are more helpful for the average network, where special
hardware is rare and software protections are about all you'll find.  We
can't make them 100% secure, but we can help them be more secure than
they were previously.

-- 
Sean Middleditch <elanthis at awesomeplay.com>
AwesomePlay Productions, Inc.

More information about the xorg mailing list