Announcement

Collapse
No announcement yet.

Fedora Rawhide Can Now Run The X.Org Server Without Root Rights

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Fedora Rawhide Can Now Run The X.Org Server Without Root Rights

    Phoronix: Fedora Rawhide Can Now Run The X.Org Server Without Root Rights

    Following a lot of work by Hans de Goede at Red Hat, Fedora Rawhide now supports running the X.Org Server without root rights...

    http://www.phoronix.com/vr.php?view=MTcyMTE

  • #2
    Following a lot of work by Hans de Goede at Red Hat, Fedora Rawhide now supports running the X.Org Server without root rights.

    Hans de Goede has worked out a suid root wrapper script followed by making the Intel and Radeon and Nouveau DDX along with xf86-video-modesetting work with server-managed file descriptors for allowing the X.Org Server not running with root rights.

    In order to run the X.Org Server without root rights, a kernel mode-setting (KMS) driver has to be used but any driver still doing user-space mode-setting will fall back to running the xorg-server with root privileges.

    Those wishing to learn more about this X.Org Server work that's making its way into Fedora 21, read this blog post with information to test it out.p

    For some reason the linked blog refuses to load for me; keeps getting timeouts.

    Is this fallback done automatically, like a simple

    Code:
    if (driver == i915 || radeon || radeonsi || nouveau || <insert KMS-capable driver>)
    runRootless;
    
    else
    runWithRoot
    or does it require the user to tell X to run root or rootless?

    Comment


    • #3
      Yes, if using "needs_root_rights = auto" /etc/X11/Xwrapper.config. But this only works for non-graphical login and is thus not enabled by default yet - so this new article is a bit early. It only works in the case you manually configure it, then run startx in a VT...

      Comment


      • #4
        Originally posted by Sonadow View Post
        For some reason the linked blog refuses to load for me; keeps getting timeouts.

        Is this fallback done automatically, like a simple

        Code:
        if (driver == i915 || radeon || radeonsi || nouveau || <insert KMS-capable driver>)
        runRootless;
        
        else
        runWithRoot
        or does it require the user to tell X to run root or rootless?
        What @jonnor already said.

        That code require display managers to handle some tasks, which where handled by X thus fur. So there is more development needed for it to work in graphical mode.

        Comment


        • #5
          Finally

          Finally! About time!
          I wish this was made a decade or two ago!
          Quite embarrassing that we got this so late.

          I hope other distributions follow up on this too!

          Comment


          • #6
            Can run without root rights from command line in Ubuntu

            Can run without root rights from command line in Ubuntu, but hardware acceleration in r600 does not work due to a libGL permissions issue. Still, I can use startx from a user login on the console and get to an LLVMpipe Cinnamon session in my normal user account, which is a real gamechanger in recovering from a problem with Lightdm.

            Comment


            • #7
              Originally posted by Luke View Post
              Can run without root rights from command line in Ubuntu, but hardware acceleration in r600 does not work due to a libGL permissions issue. Still, I can use startx from a user login on the console and get to an LLVMpipe Cinnamon session in my normal user account, which is a real gamechanger in recovering from a problem with Lightdm.
              at least on fedora, you need to add that user to group video.

              i was testing standalone sandoboxed xbmc session and noticed that if user is not in video group, driver reverts to unaccelerated

              as far as rootless x.org. Awesome!!! ... ??? ... ohhh, wait we're past 1999. now all i wait is wayland

              Comment


              • #8
                Awesome.
                Now having nVidia drivers with KMS support really becomes pressing. Even without Wayland, running X in user space is a real security progress.

                Comment


                • #9
                  Video group works in Ubuntu too, but can't find sound card

                  Originally posted by justmy2cents View Post
                  at least on fedora, you need to add that user to group video.

                  i was testing standalone sandoboxed xbmc session and noticed that if user is not in video group, driver reverts to unaccelerated

                  as far as rootless x.org. Awesome!!! ... ??? ... ohhh, wait we're past 1999. now all i wait is wayland
                  OK, that worked and I can now use HW acceleration in a user X session. Two bugs remain: the sound card is not found, and Nemo loses track of where desktop icons belong. I haven't tried moving those icons back to their normal positions yet, as a write of those changes might kill whatever file their positions are stored in when using lightdm, a common bug after things like recovering from a late mount of /home/. If I can fix the sound issue and get those icon positions remembered, I will seek a way to routinely run the X session as a normal user. Possibly an autologin on console and a script as a display manager? These are single-user machines with only one user account plus root, so the security issues of multi-user machines do not apply. Would be really funny if some online attacker tried to use a browser exploit to get the priviliges X is running under, only to find those to be normal user priviliges...

                  Comment


                  • #10
                    Originally posted by przemoli View Post
                    What @jonnor already said.

                    That code require display managers to handle some tasks, which where handled by X thus fur. So there is more development needed for it to work in graphical mode.
                    It's not clear why the display manager would need to be root in order to be session controller. It seems as though this would all be arbitrated by logind (as the device nodes are).
                    Yeah, the display managers need to grow the code to hook into loginds new api, but once that happens why would *dm need to be root?

                    Comment


                    • #11
                      Originally posted by omer666 View Post
                      Awesome.
                      Now having nVidia drivers with KMS support really becomes pressing. Even without Wayland, running X in user space is a real security progress.
                      X always ran in user space. This step involves remove root rights and driver aperture.
                      Last edited by rmiller; 06-16-2014, 05:43 PM.

                      Comment


                      • #12
                        Originally posted by Luke View Post
                        OK, that worked and I can now use HW acceleration in a user X session. Two bugs remain: the sound card is not found, and Nemo loses track of where desktop icons belong. I haven't tried moving those icons back to their normal positions yet, as a write of those changes might kill whatever file their positions are stored in when using lightdm, a common bug after things like recovering from a late mount of /home/. If I can fix the sound issue and get those icon positions remembered, I will seek a way to routinely run the X session as a normal user. Possibly an autologin on console and a script as a display manager? These are single-user machines with only one user account plus root, so the security issues of multi-user machines do not apply. Would be really funny if some online attacker tried to use a browser exploit to get the priviliges X is running under, only to find those to be normal user priviliges...
                        if i remember correctly... same thing for sound. it has to be in pulse (or some other) group. just currious, are you running 2 sessions of same desktop and same user? that probably wouldn't be advised since you can move the floor of another (changing configurations and so on)

                        also, if you plan doing that from script and locked user, then you can probably just invoke "su - youruser -c startx /usr/bin/whateveryourun"

                        this is how i made my self 2nd sandboxed session for xbmc on my game machine

                        Comment


                        • #13
                          Already in Audio group, still no sound

                          Originally posted by justmy2cents View Post
                          if i remember correctly... same thing for sound. it has to be in pulse (or some other) group. just currious, are you running 2 sessions of same desktop and same user? that probably wouldn't be advised since you can move the floor of another (changing configurations and so on)

                          also, if you plan doing that from script and locked user, then you can probably just invoke "su - youruser -c startx /usr/bin/whateveryourun"

                          this is how i made my self 2nd sandboxed session for xbmc on my game machine
                          One session at a time only, also not using pulseaudio for performance reasons, hardware mixer available. Using systemd, maybe logind could be used for an autologin on tty7 with my Cinnamon session then opening there? The sound issue is that the sound card is not found at all, audio group or not. Also there are network management issues affecting only making new connections, something that came up today while setting up a machine for someone with a buggy graphics card and lightdm giving a black screen. X would come up manually from the console, but I had to get a lightdm session to work in order to hook to their network over wifi. Even startx as root didn't allow connection, only a lightdm initiated session permitted new connections, which once made always work no matter how X is started.

                          Comment


                          • #14
                            Originally posted by Luke View Post
                            One session at a time only, also not using pulseaudio for performance reasons, hardware mixer available. Using systemd, maybe logind could be used for an autologin on tty7 with my Cinnamon session then opening there? The sound issue is that the sound card is not found at all, audio group or not. Also there are network management issues affecting only making new connections, something that came up today while setting up a machine for someone with a buggy graphics card and lightdm giving a black screen. X would come up manually from the console, but I had to get a lightdm session to work in order to hook to their network over wifi. Even startx as root didn't allow connection, only a lightdm initiated session permitted new connections, which once made always work no matter how X is started.
                            seriously, i only saw strange things like that on faulty hw or completely fscked up system.

                            still, you could check soundcard presence in hardware trough udev, then checking device permissions. sometimes if you don't see hw...

                            Comment


                            • #15
                              Originally posted by rmiller View Post
                              X always ran in user space. This step involves remove root rights and driver aperture.
                              Oops sorry I mixed up, you're right.

                              Comment

                              Working...
                              X