SDTLOGIN interface

[Matthieu Herrb]

Alan Coopersmith wrote:
> Dave Airlie wrote:
>> Running the X server as the user is in our upcoming plans for Fedora.
>> There is a lot of things that need fixing before this can happen in
>> the drivers.
> 
> Right - the Solaris solution starts the X server as root, and after all
> the hardware is initialized/opened, and the login screen is displayed,
> and the user logs in, it then setuid()'s Xorg to run as the user for the
> rest of the session.   (I think the addition of VT support in Solaris is
> going to make us setuid back to root and then back to the user around VT
> switches, but haven't confirmed that.)
> 
That's similar to what I've done on OpenBSD with the privilege 
separation patch: the X server starts as root, does all the things that 
need root privileges as early as possible, forks a child process which 
keeps root privs then switches to a regular user (the one who started X 
in the startx case, a dedicated '_x11' user in the xdm case).

The X server communicates with the privileged child through a pipe and 
the child executes a small command loop which only allow very restricted 
  operations that need privileges for VT switching mostly.

We've started extending this approach to handle the needs of dri (there 
are a couple more privileged operations there) too.

There's one drawback though: the main X server keeps the privilege of 
accessing the hardware directly, and it has been demonstrated (for 
instance by Loic Duflot at CanSecWest 2006) that this makes it possible 
for the X server to get kernel-level privileges (which is more than root 
privileges, at least in the BSD securelevels model).

Hardware access definatly needs to be done in the kernel, with enough 
checks to make sure that a malicious code injected in the X server (by 
exploiting a bug) can't easily abuse the drm interface to control the 
whole kernel.
-- 
Matthieu Herrb