EMGD-Community / intel-binaries-linux

Binaries and source code published by Intel®
https://thopiekar.eu:5443/EMGD
Other
37 stars 11 forks source link

Better rootless X.Org recommendations? #49

Open James-E-A opened 6 years ago

James-E-A commented 6 years ago

Looking at Pull #41 (and d7c71d2c83eb1f55ba1e82ac2a77e6bbc66b9a2d specifically), I see that the solution recommended involves allowing any user "allowed" to use X full access to the TTYs as well as input devices.

This means that, on a multi-user system, you have to give all GUI users a pretty severe amount of trust, that they don't set a daemon or anything to snoop on input devices, or even spoof someone who's trying to use a physical TTY.

Now, obviously, most of the situations like this are pretty obscure. Most users on the same system trust each other!

But doesn't Xorg itself have some kind of features built-in, where it can be used with setuid and security implications are already, intentionally considered?

For instance, on my machine, just

chgrp -v users /usr/bin/Xorg
chmod -v 4754 /usr/bin/Xorg

Allows anyone in the users group to use startx or xinit, and is presumably mediated by code within X.Org (and also has the added benefit of being persistent across reboots without worrying about startup files)

thopiekar commented 6 years ago

Well, could be that the upstream package of the xserver comes with new systemd rules or whatever. What I would worry about more is to get EMGD and all its dependencies working again for newer Linux kernels and distributions. Compared to the needed patches, which might be needed for the DRM code, this is only a nit pick. But feel free to fix that. The solution is most likely on the latest packages, I guess.