Tweet
When testing out a patchset on 2.6.38, I noticed that neither the xorg server nor the intel drivers seemed to be using the ioctls which (IIRC) were one of the main stumbling blocks to running X without root permissions, so I actually tried it for the first time in well over a year, and lo and behold, it works! (albiet after some permissions wrangling...)
This is something I've been waiting on since KMS went mainline (as have others here I think), but pretty much gave up on seeing it 'cause non of the devs seemed to consider it a priority, just searched now and the last post to a major thread about it here was just about 11 months ago.
Anyways, onto specifics, for those interested; while it "worked", there are permissions changes needed to get everything working as good as with SUID Xorg:
Without root perms, the Xorg server needs write access to /var/log
There is a -logfile option for Xorg specify an alternate log file in a user-writable location, but it needs to be run with uid 0 (ie as root) to use it... (
)
A very simple patch to xorg-server removed this uid 0 check for -logfile, so that's that one out of the way.
The server also needs root access to the tty node for the virtual console X will be running on, I use my own script to start X at boot without a display manager, so an easy fix for me with a chgrp and chmod, not a perfect solution though and I have no idea how to deal with it with xdm/gdm/kdm or similar...
Input devices of course, xorg needs read (and write?) perms for this, simple fix with some udev rules for the event/mouse class devices, may be trickier if not using the evdev input driver though.
Needs access to the acpid socket, another simple fix, acpid itself has --socketgroup and --socketmode options.
The only thing left to deal with is no write permissions on/sys/class/backlight/acpi_video0/brightness, needed for backlight adjusting via xbacklight and similar, a minor kernel patch will solve that, although again not the perfect solution...
Only two things left in the logs then;
"LoadKernelModule: Setting of real/effective user Id to 0/0 failed", which AFAICT is meaningless, any kernel modules needed are compiled in, may be related to a "fbcon module not found" or similar warning I used to see...
And finally, "(WW) intel(0): drmSetMaster failed: Permission denied" & "(WW) intel(0): drmDropMaster failed: Permission denied", near as I can tell it has something to do with vt switching, but I've observed no negative affects from this, so /me shrugs...
As to the permissions changes (before you all start yelling at me) on the tty, input dev nodes and acpid socket, what I actually did was create a dedicated "xserver" group, made those dev nodes and socket owned and readable/writable by that group, then made the Xorg binary owned by that group too and made it 'SGID';
and ps -AF output;
Everything is working perfectly so far, glxgears and xv video apps too.
I know the meego devs were working on this, but I had the impression the work wasn't going upstream...
I can post the udev rules and xorg-server patch if anyone wants, and I'm gonna try it on my radeon desktop in a bit too (see if it's intel specific or not), so there you go... finally.
tldr; anyone know when the hell Xorg started working without root permissions and why the hell didn't anybody tell me? :P
This is something I've been waiting on since KMS went mainline (as have others here I think), but pretty much gave up on seeing it 'cause non of the devs seemed to consider it a priority, just searched now and the last post to a major thread about it here was just about 11 months ago.
Anyways, onto specifics, for those interested; while it "worked", there are permissions changes needed to get everything working as good as with SUID Xorg:
Without root perms, the Xorg server needs write access to /var/log
There is a -logfile option for Xorg specify an alternate log file in a user-writable location, but it needs to be run with uid 0 (ie as root) to use it... (
)A very simple patch to xorg-server removed this uid 0 check for -logfile, so that's that one out of the way.
The server also needs root access to the tty node for the virtual console X will be running on, I use my own script to start X at boot without a display manager, so an easy fix for me with a chgrp and chmod, not a perfect solution though and I have no idea how to deal with it with xdm/gdm/kdm or similar...
Input devices of course, xorg needs read (and write?) perms for this, simple fix with some udev rules for the event/mouse class devices, may be trickier if not using the evdev input driver though.
Needs access to the acpid socket, another simple fix, acpid itself has --socketgroup and --socketmode options.
The only thing left to deal with is no write permissions on/sys/class/backlight/acpi_video0/brightness, needed for backlight adjusting via xbacklight and similar, a minor kernel patch will solve that, although again not the perfect solution...
Only two things left in the logs then;
"LoadKernelModule: Setting of real/effective user Id to 0/0 failed", which AFAICT is meaningless, any kernel modules needed are compiled in, may be related to a "fbcon module not found" or similar warning I used to see...
And finally, "(WW) intel(0): drmSetMaster failed: Permission denied" & "(WW) intel(0): drmDropMaster failed: Permission denied", near as I can tell it has something to do with vt switching, but I've observed no negative affects from this, so /me shrugs...
As to the permissions changes (before you all start yelling at me) on the tty, input dev nodes and acpid socket, what I actually did was create a dedicated "xserver" group, made those dev nodes and socket owned and readable/writable by that group, then made the Xorg binary owned by that group too and made it 'SGID';
Code:
sadako@arisu ~ $ ls -l /usr/local/bin/Xorg-uid -rwx--s--x 1 root xserver 2149744 Apr 18 17:45 /usr/local/bin/Xorg-uid
Code:
sadako 1332 1 0 3952 956 0 13:22 ? 00:00:00 xinit /home/sadako/.xinitrc -- /usr/local/bin/Xorg-uid vt5 -deferglyphs 16 -logfile /tmp/sadako/Xorg:0.log sadako 1335 1332 2 28786 17812 0 13:22 tty5 00:01:16 /usr/local/bin/Xorg-uid :0 vt5 -deferglyphs 16 -logfile /tmp/sadako/.Xorg:0.log
I know the meego devs were working on this, but I had the impression the work wasn't going upstream...
I can post the udev rules and xorg-server patch if anyone wants, and I'm gonna try it on my radeon desktop in a bit too (see if it's intel specific or not), so there you go... finally.
tldr; anyone know when the hell Xorg started working without root permissions and why the hell didn't anybody tell me? :P
Comment