Intel, Radeon Drivers Become Friendly With Non-Root X Server
Improvements have landed so far into the Intel and Radeon X.Org drivers for better allowing the X.Org Server to run without root privileges.
Last month we wrote about Red Hat working on a suid root wrapper for the X.org Server and other improvements being led by Red Hat's Hans de Goede to run Xorg in more configurations without needing root support. As part of this, sever managed file descriptors (FDs) has been one of the changes needed by the X.Org graphics drivers for supporting this change of running the xorg-server without root rights. Besides needing changes to the DDX drivers and the X.Org Server (those changes are landing with X.Org Server 1.16 this summer), systemd-logind is also needed.
In March the changes landed in xf86-video-intel for supporting the Intel driver in this new, more-secure world, per this commit. "In the post-modern world, the platform device nodes are handed to a non-privileged Xserver by systemd/logind. We can then query the core for our assigned fd rather than try to open the device for ourselves (which would fail when trying to obtain DRM_MASTER status). A consequence is that we then do not directly control DRM_MASTER status and must act as a delegate of systemd."
Following that, the similar server-managed FD change also landed within the Radeon Git DDX (for whatever reason it didn't show up in my RSS feed until hours ago though it was apparently committed weeks ago).
There's yet to be any change to the Nouveau DDX driver, which per the latest mainline Git, hasn't been touched since November of last year.
This will be good news for security conscious Linux users come this summer with the release of X.Org Server 1.16 and the new releases of the Intel/Radeon DDX drivers.
Last month we wrote about Red Hat working on a suid root wrapper for the X.org Server and other improvements being led by Red Hat's Hans de Goede to run Xorg in more configurations without needing root support. As part of this, sever managed file descriptors (FDs) has been one of the changes needed by the X.Org graphics drivers for supporting this change of running the xorg-server without root rights. Besides needing changes to the DDX drivers and the X.Org Server (those changes are landing with X.Org Server 1.16 this summer), systemd-logind is also needed.
In March the changes landed in xf86-video-intel for supporting the Intel driver in this new, more-secure world, per this commit. "In the post-modern world, the platform device nodes are handed to a non-privileged Xserver by systemd/logind. We can then query the core for our assigned fd rather than try to open the device for ourselves (which would fail when trying to obtain DRM_MASTER status). A consequence is that we then do not directly control DRM_MASTER status and must act as a delegate of systemd."
Following that, the similar server-managed FD change also landed within the Radeon Git DDX (for whatever reason it didn't show up in my RSS feed until hours ago though it was apparently committed weeks ago).
There's yet to be any change to the Nouveau DDX driver, which per the latest mainline Git, hasn't been touched since November of last year.
This will be good news for security conscious Linux users come this summer with the release of X.Org Server 1.16 and the new releases of the Intel/Radeon DDX drivers.
11 Comments