Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: Fedora Rawhide Can Now Run The X.Org Server Without Root Rights

  1. #1
    Join Date
    Jan 2007
    Posts
    14,770

    Default Fedora Rawhide Can Now Run The X.Org Server Without Root Rights

    Phoronix: Fedora Rawhide Can Now Run The X.Org Server Without Root Rights

    Following a lot of work by Hans de Goede at Red Hat, Fedora Rawhide now supports running the X.Org Server without root rights...

    http://www.phoronix.com/vr.php?view=MTcyMTE

  2. #2
    Join Date
    Jun 2009
    Posts
    550

    Default

    Following a lot of work by Hans de Goede at Red Hat, Fedora Rawhide now supports running the X.Org Server without root rights.

    Hans de Goede has worked out a suid root wrapper script followed by making the Intel and Radeon and Nouveau DDX along with xf86-video-modesetting work with server-managed file descriptors for allowing the X.Org Server not running with root rights.

    In order to run the X.Org Server without root rights, a kernel mode-setting (KMS) driver has to be used but any driver still doing user-space mode-setting will fall back to running the xorg-server with root privileges.

    Those wishing to learn more about this X.Org Server work that's making its way into Fedora 21, read this blog post with information to test it out.p

    For some reason the linked blog refuses to load for me; keeps getting timeouts.

    Is this fallback done automatically, like a simple

    Code:
    if (driver == i915 || radeon || radeonsi || nouveau || <insert KMS-capable driver>)
    runRootless;
    
    else
    runWithRoot
    or does it require the user to tell X to run root or rootless?

  3. #3
    Join Date
    Apr 2010
    Location
    Oslo
    Posts
    53

    Default

    Yes, if using "needs_root_rights = auto" /etc/X11/Xwrapper.config. But this only works for non-graphical login and is thus not enabled by default yet - so this new article is a bit early. It only works in the case you manually configure it, then run startx in a VT...

  4. #4
    Join Date
    Sep 2010
    Posts
    683

    Default

    Quote Originally Posted by Sonadow View Post
    For some reason the linked blog refuses to load for me; keeps getting timeouts.

    Is this fallback done automatically, like a simple

    Code:
    if (driver == i915 || radeon || radeonsi || nouveau || <insert KMS-capable driver>)
    runRootless;
    
    else
    runWithRoot
    or does it require the user to tell X to run root or rootless?
    What @jonnor already said.

    That code require display managers to handle some tasks, which where handled by X thus fur. So there is more development needed for it to work in graphical mode.

  5. #5
    Join Date
    Dec 2011
    Posts
    2,046

    Default Finally

    Finally! About time!
    I wish this was made a decade or two ago!
    Quite embarrassing that we got this so late.

    I hope other distributions follow up on this too!

  6. #6
    Join Date
    May 2013
    Posts
    533

    Default Can run without root rights from command line in Ubuntu

    Can run without root rights from command line in Ubuntu, but hardware acceleration in r600 does not work due to a libGL permissions issue. Still, I can use startx from a user login on the console and get to an LLVMpipe Cinnamon session in my normal user account, which is a real gamechanger in recovering from a problem with Lightdm.

  7. #7
    Join Date
    Oct 2013
    Posts
    400

    Default

    Quote Originally Posted by Luke View Post
    Can run without root rights from command line in Ubuntu, but hardware acceleration in r600 does not work due to a libGL permissions issue. Still, I can use startx from a user login on the console and get to an LLVMpipe Cinnamon session in my normal user account, which is a real gamechanger in recovering from a problem with Lightdm.
    at least on fedora, you need to add that user to group video.

    i was testing standalone sandoboxed xbmc session and noticed that if user is not in video group, driver reverts to unaccelerated

    as far as rootless x.org. Awesome!!! ... ??? ... ohhh, wait we're past 1999. now all i wait is wayland

  8. #8
    Join Date
    Jan 2013
    Posts
    54

    Default

    Awesome.
    Now having nVidia drivers with KMS support really becomes pressing. Even without Wayland, running X in user space is a real security progress.

  9. #9
    Join Date
    May 2013
    Posts
    533

    Default Video group works in Ubuntu too, but can't find sound card

    Quote Originally Posted by justmy2cents View Post
    at least on fedora, you need to add that user to group video.

    i was testing standalone sandoboxed xbmc session and noticed that if user is not in video group, driver reverts to unaccelerated

    as far as rootless x.org. Awesome!!! ... ??? ... ohhh, wait we're past 1999. now all i wait is wayland
    OK, that worked and I can now use HW acceleration in a user X session. Two bugs remain: the sound card is not found, and Nemo loses track of where desktop icons belong. I haven't tried moving those icons back to their normal positions yet, as a write of those changes might kill whatever file their positions are stored in when using lightdm, a common bug after things like recovering from a late mount of /home/. If I can fix the sound issue and get those icon positions remembered, I will seek a way to routinely run the X session as a normal user. Possibly an autologin on console and a script as a display manager? These are single-user machines with only one user account plus root, so the security issues of multi-user machines do not apply. Would be really funny if some online attacker tried to use a browser exploit to get the priviliges X is running under, only to find those to be normal user priviliges...

  10. #10
    Join Date
    Jan 2009
    Posts
    1,401

    Default

    Quote Originally Posted by przemoli View Post
    What @jonnor already said.

    That code require display managers to handle some tasks, which where handled by X thus fur. So there is more development needed for it to work in graphical mode.
    It's not clear why the display manager would need to be root in order to be session controller. It seems as though this would all be arbitrated by logind (as the device nodes are).
    Yeah, the display managers need to grow the code to hook into loginds new api, but once that happens why would *dm need to be root?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •