Xserver needs to run as "root" on Linux / was: Re: [Xorg] Server side widgets

Jakub Piotr Cłapa loc at toya.net.pl
Tue Jul 13 13:42:19 PDT 2004 

Sean Middleditch wrote:
> On Tue, 2004-07-13 at 11:22, Jakub Piotr CÅ‚apa wrote:
> 
>>Some random thoughts:
>>
>>What if somebody writes a local exploit? On what systems exposed to such 
>>malicious users you allow them to run their own code? (ok... you could 
>>possibly mimic the login screen in flash or sth. like that...)
> 
> It's impossible to stop users from running code.  If nothing else, you
> can manually run ld-so with your binary as input.  Other than using
> something like SELinux, which even then (given how sickeningly complex
> it is for even its creators to configure properly on multi-purpose
> machines) will likely have many holes.

So -o noexec is only syntactic sugar?

>>What's wrong with currently available Ctrl-Alt-Backspace? It would kill 
>>such a malicious session and you will be sure the thing that shows up on 
>>the screen is same thing somebody with root access have set.
> 
> Nope.  I can switch to a text console and write a script that launches a
> new X session with my fake login program in a loop.  kill the X server,
> the script just relaunches it.  Again, no way to tell if it's my hack or
> the real login server.

So don't allow running random garbage on different virtual consoles. 
Move the whole vt thing to the kernel and allow only root to mess with 
it. And make a keybinding to kill everything on a virtual console and 
respawn something configured by root. I believe this is the best we can 
do about this.

>>Basically we need something to kill everything that is running on the 
>>current virtual terminal and respawn whatever there should be - thats a 
>>better overall sollution. (it would probably require login managers to 
>>be spawned by init and not allocating consoles by themselves, but that 
>>could be a good idea anyway)
> 
> And then we have a minor security hole in that a user can switch to some
> console another user might be using (but have locked) and kill
> everything running there.  (And, before you ask, it is possible to turn
> off the ctrl-alt-backspace to protect against this as well.)

And how does that differ from your proposal? Ctrl-Alt-Del to kill 
everything and get a login screen? If we change this to open a new login 
screen every time we have a simple DoS attack and if we set some maximum 
number of open consoles we get back to the begining (just made a little 
more difficult).

>>Of course the problem is nonexistant if we login with some kind of a 
>>token (or any other device used only to log in i.e. innaccessible to 
>>nonroot programs).
> 
> Which is more expensive and difficult to setup than simply installing
> your OS and having it's login system (relatively) secure by default. 
> The more difficult it is to secure the machine by the administrator, the
> less likely it is to be secure.  Such login devices are already
> available, and high-security networks use them.  Login protections like
> we're discussing are more helpful for the average network, where special
> hardware is rare and software protections are about all you'll find.  We
> can't make them 100% secure, but we can help them be more secure than
> they were previously.

I know it's not an option for many small sites. It was just a general 
remark.

-- 
Regards,
Jakub Piotr Cłapa

More information about the xorg mailing list