matthieu.herrb at laas.fr
Thu May 29 23:08:46 PDT 2008
Alan Coopersmith wrote:
> Dave Airlie wrote:
>> Running the X server as the user is in our upcoming plans for Fedora.
>> There is a lot of things that need fixing before this can happen in
>> the drivers.
> Right - the Solaris solution starts the X server as root, and after all
> the hardware is initialized/opened, and the login screen is displayed,
> and the user logs in, it then setuid()'s Xorg to run as the user for the
> rest of the session. (I think the addition of VT support in Solaris is
> going to make us setuid back to root and then back to the user around VT
> switches, but haven't confirmed that.)
That's similar to what I've done on OpenBSD with the privilege
separation patch: the X server starts as root, does all the things that
need root privileges as early as possible, forks a child process which
keeps root privs then switches to a regular user (the one who started X
in the startx case, a dedicated '_x11' user in the xdm case).
The X server communicates with the privileged child through a pipe and
the child executes a small command loop which only allow very restricted
operations that need privileges for VT switching mostly.
We've started extending this approach to handle the needs of dri (there
are a couple more privileged operations there) too.
There's one drawback though: the main X server keeps the privilege of
accessing the hardware directly, and it has been demonstrated (for
instance by Loic Duflot at CanSecWest 2006) that this makes it possible
for the X server to get kernel-level privileges (which is more than root
privileges, at least in the BSD securelevels model).
Hardware access definatly needs to be done in the kernel, with enough
checks to make sure that a malicious code injected in the X server (by
exploiting a bug) can't easily abuse the drm interface to control the
More information about the xorg