Alan.Coopersmith at Sun.COM
Fri May 30 07:57:01 PDT 2008
Matthieu Herrb wrote:
> There's one drawback though: the main X server keeps the privilege of
> accessing the hardware directly, and it has been demonstrated (for
> instance by Loic Duflot at CanSecWest 2006) that this makes it possible
> for the X server to get kernel-level privileges (which is more than root
> privileges, at least in the BSD securelevels model).
> Hardware access definatly needs to be done in the kernel, with enough
> checks to make sure that a malicious code injected in the X server (by
> exploiting a bug) can't easily abuse the drm interface to control the
> whole kernel.
Right - that's the model we have in Solaris on SPARC, which always had
in-kernel graphics drivers for all devices, and can run without ever
having uid 0 privileges (we still run it setgid 0 so it can do things
like power management & process priority boosting that the kernel
restricts to gid 0). Since gdm/xdm/dtlogin start the server as root,
we still use our setting pipe to drop to the user's uid at login.
-Alan Coopersmith- alan.coopersmith at sun.com
Sun Microsystems, Inc. - X Window System Engineering
More information about the xorg