Announcement

Collapse
No announcement yet.

Moblin 2.0 To Not Run X Server As Root

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Moblin 2.0 To Not Run X Server As Root

    Phoronix: Moblin 2.0 To Not Run X Server As Root

    Intel's Arjan van de Ven has fired off an email letting us know that Moblin 2.0 will have its X Server running without root privileges. The first feature of their new "Moblin Secure X project" is to integrate NRX technology, which we take to mean "No-Root X" and is described as "NRX is a set of OS changes and patches that makes it possible to no longer run the X server as the privileged 'root' user." Just last week we reported on a root-less X Server nearing reality. Traditionally the X Server has been run as root so that it can communicate directly with the graphics hardware, but with the mainlining of kernel mode-setting, it's now easily possible to run the X Server without root privileges...

    http://www.phoronix.com/vr.php?view=NzM3NA

  • #2
    I wouldnt be surprised if this is just to make sure that ion chips can't run moblin....

    Comment


    • #3
      well, that's nvidia's fault! their problem. perhaps sometimes they realize that they *have* to give out docs and open their driver (hehe hope for more pressure for chrome os).

      Comment


      • #4
        seems that for every improvement made to linux there's always someone paranoid....

        breaking the binary nvidia driver is easy, if that were the objective, that doesn't need something as complex as the whole non-root-X work. It's not the objective.

        The objective is a real improvement to the Linux security model.
        With all the work done in the X stack over the last two years,
        running X no longer as root is finally possible. That is great
        progress if you ask me.

        Lordmozilla: if you want to run some binary driver just put the setuid bit back on.. that's one shell command.

        Comment


        • #5
          What i really dislike with moblin is that the default X is compiled just to break nvidia. The instruction to enable it requires X recompilation thats really crap. Vbox + Nvidia drivers should compile and work without extra work.

          Comment


          • #6
            Kano: I'm sorry but you're very wrong.
            Moblin X is not compiled "just to break nvidia".

            I don't know if the nvidia binary stuff works out of the box or not; I'm personally not interested in machines with nvidia hardware. But to try to say that Moblin deliberately compiles X to break that... No.

            Comment


            • #7
              Then tell me why xinerama is disabled by default? Nvidia binary expects that to be enabled.

              Comment


              • #8
                Originally posted by arjan_intel View Post
                seems that for every improvement made to linux there's always someone paranoid....

                breaking the binary nvidia driver is easy, if that were the objective, that doesn't need something as complex as the whole non-root-X work. It's not the objective.

                The objective is a real improvement to the Linux security model.
                With all the work done in the X stack over the last two years,
                running X no longer as root is finally possible. That is great
                progress if you ask me.

                Lordmozilla: if you want to run some binary driver just put the setuid bit back on.. that's one shell command.
                If it is required at all ... afaik the driver just needs access to /dev/nvidia*

                Comment


                • #9
                  Originally posted by arjan_intel View Post
                  seems that for every improvement made to linux there's always someone paranoid....

                  breaking the binary nvidia driver is easy, if that were the objective, that doesn't need something as complex as the whole non-root-X work. It's not the objective.

                  The objective is a real improvement to the Linux security model.
                  With all the work done in the X stack over the last two years,
                  running X no longer as root is finally possible. That is great
                  progress if you ask me.

                  Lordmozilla: if you want to run some binary driver just put the setuid bit back on.. that's one shell command.
                  It was a snarky comment. I know rootless X is a great thing and that its easy to break the nvidia binary....

                  Incidentally the binary allready breaks cause they build xorg without xinerama on moblin. I'd guess its to speed up start times since with recompiled xorg i found mine started a ltitle slower, but then again i didnt time it.

                  Kano recompile the src.rpm with xinerama, its not hard. I show how on my site www.madeo.co.uk

                  Comment


                  • #10
                    Why should i recompile it? That's a wrong design decision to disable it by default.

                    Comment


                    • #11
                      Originally posted by Kano View Post
                      Why should i recompile it? That's a wrong design decision to disable it by default.
                      Why should an open source project, mainly drived by Intel but now run by the Linux Foundation and open to community contributions, care about closed source drivers of other vendors?

                      It's like asking me the keys of my car without even giving me yours...

                      Comment


                      • #12
                        Originally posted by Kano View Post
                        Then tell me why xinerama is disabled by default? Nvidia binary expects that to be enabled.
                        We don't use xinerama. XRANDR has replaced that for years now.

                        NVIDIA can make a driver that works without xinerama; I suspect this is just a bug on their side. But why would we add code size, startup time and the security risk of unused code ??

                        Comment


                        • #13
                          I don't think that Nv will create a moblin specific driver. Did you try vboxvideo with moblin?

                          Comment


                          • #14
                            something tells me that if intel were really just trying to create a distro that was innoperable with hardware other than their own they wouldn't have handed the project over to the FSF, who can realistically add support for completely non-intel platforms like tegra....

                            doesn't really add up to me.

                            Comment


                            • #15
                              Originally posted by Kano View Post
                              I don't think that Nv will create a moblin specific driver.
                              Arjan is pretty obviously not suggesting a "moblin specific driver", but a general driver that also works on Moblin. On the other hand, you're suggesting that code should be added to Moblin specifically to support Nvidia's driver - added to an OS that is targeted at devices in which Linux-supported Nvidia GPUs have almost no market share.

                              Originally posted by AdrenalineJunky
                              something tells me that if intel were really just trying to create a distro that was innoperable with hardware other than their own they wouldn't have handed the project over to the FSF, who can realistically add support for completely non-intel platforms like tegra....
                              I wouldn't hold out for Tegra support any time soon. The Zune HD is apparently the first big Tegra design win, and Nvidia folks have accordingly been making very pro-WinCE and anti-Linux noises.

                              By the way, the turnover was to the Linux Foundation, not the FSF.

                              Comment

                              Working...
                              X