Announcement

Collapse
No announcement yet.

Nouveau Becomes Friendly Towards Non-Root X Server

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Nouveau Becomes Friendly Towards Non-Root X Server

    Phoronix: Nouveau Becomes Friendly Towards Non-Root X Server

    A few days ago I wrote about the Intel and Radeon drivers supporting the X.Org Server without root rights due to the DDX drivers adding support for server-managed FDs. That support has now been extended to cover the Nouveau driver too...

    http://www.phoronix.com/vr.php?view=MTY1Njk

  • #2
    It's already possible to run xorg non-root with nouveau. Intel is a problem last time I tried (about a month ago).

    I use sgid and sudo to make xorg run as nobody:video. This does require marking /dev/input/* as owned by :video. Furthermore, you need to disable MIT-SHM for QT apps to work. Finally, VT-switching does not work and keyboard input is dumped into the terminal (huge privacy issue). But it works.

    How does this make things better?

    Comment


    • #3
      I wish this was done a decade or two ago...

      Comment


      • #4
        Originally posted by Rexilion View Post
        It's already possible to run xorg non-root with nouveau. Intel is a problem last time I tried (about a month ago).

        I use sgid and sudo to make xorg run as nobody:video. This does require marking /dev/input/* as owned by :video. Furthermore, you need to disable MIT-SHM for QT apps to work. Finally, VT-switching does not work and keyboard input is dumped into the terminal (huge privacy issue). But it works.

        How does this make things better?
        s/QT/Qt/

        Comment


        • #5
          Originally posted by Rexilion View Post
          It's already possible to run xorg non-root with nouveau. Intel is a problem last time I tried (about a month ago).

          I use sgid and sudo to make xorg run as nobody:video. This does require marking /dev/input/* as owned by :video. Furthermore, you need to disable MIT-SHM for QT apps to work. Finally, VT-switching does not work and keyboard input is dumped into the terminal (huge privacy issue). But it works.

          How does this make things better?
          By marking the input devices as being part of the video group, you allow any user in the video group to read/write to the input devices of other users. On a single user machine, this is still a problem because applications in an inactive session should not be able to read the input. Wayland also moves away from the overly permission X11 input handling where applications can spy on all the input.

          The logind improvements allow for device handles to be passed as file descriptors to an active session. This means there's no need for a setuid binary or overly permissive device nodes. Adding users to groups like audio, video, storage, etc. on a desktop machine is redundant and weakens security compared to logind (and previously, consolekit).

          Comment


          • #6
            Originally posted by strcat View Post
            By marking the input devices as being part of the video group, you allow any user in the video group to read/write to the input devices of other users. On a single user machine, this is still a problem because applications in an inactive session should not be able to read the input. Wayland also moves away from the overly permission X11 input handling where applications can spy on all the input.
            Video group does not have any users. Xorg binary is marked sgid with group video. It runs as user nobody.

            So, unless Xorg itself is compromised no application can 'maliciously' read my passwords.

            Originally posted by strcat View Post
            The logind improvements allow for device handles to be passed as file descriptors to an active session. This means there's no need for a setuid binary or overly permissive device nodes. Adding users to groups like audio, video, storage, etc. on a desktop machine is redundant and weakens security compared to logind (and previously, consolekit).
            Yeah, that would be better. But for the single user case which I described above, not a direct improvement.

            Comment


            • #7
              Originally posted by Rexilion View Post
              [Video group does not have any users. Xorg binary is marked sgid with group video. It runs as user nobody.
              The nobody user is a bit dangerous, since any other processes running as nobody will be able to mess with it (although ptrace_scope=1 closes the very obvious holes).

              Originally posted by Rexilion View Post
              Yeah, that would be better. But for the single user case which I described above, not a direct improvement.
              Unless the user has multiple sessions, like being logged in at another VT. Either way, compromising X is quite trivial and that's why having it still running as root in 2014 is disturbing. It's a very large pile of mostly crufty code, and many security holes are found whenever someone reviews/audits it.

              Comment


              • #8
                Originally posted by strcat View Post
                The nobody user is a bit dangerous, since any other processes running as nobody will be able to mess with it (although ptrace_scope=1 closes the very obvious holes).
                Xorg binary is not owned by nobody. I use sudo to start the root owned binary as nobody.

                Originally posted by strcat View Post
                Unless the user has multiple sessions, like being logged in at another VT. Either way, compromising X is quite trivial and that's why having it still running as root in 2014 is disturbing. It's a very large pile of mostly crufty code, and many security holes are found whenever someone reviews/audits it.
                That still is a problem if it were to run under the same user who logs in or using the method I have applied right here.

                I think it's even safer to have it run as nobody:video rather than user:user since this will not allow one to tamper with user docs/files.

                Comment


                • #9
                  Originally posted by Rexilion View Post
                  Xorg binary is not owned by nobody. I use sudo to start the root owned binary as nobody.
                  I'm talking about the process running as nobody. Any other process running as nobody such as a compromised service can ptrace it (or do similar stuff). This is how applications like gdb attach to processes that are already running as the same user.

                  I think it's even safer to have it run as nobody:video rather than user:user since this will not allow one to tamper with user docs/files.
                  You're missing that you expose the X server to all other processes running as nobody. A compromise of the server is certainly close to the same thing as a compromise of your user account since it has access to all of the video and input devices, along with a lot of control over the connected X11 applications.

                  Comment


                  • #10
                    Creating a specific user for this task would be alright, but making use of nobody is bad practice since it's insecure as soon as you use it for more than one thing.

                    Comment

                    Working...
                    X