Plasma with root-less X server
Hi!
Since quite some time Debian defaults to X without setuid root by default.
See below for relevant NEWS entry for 'xserver-xorg-core'. Also:
% ls -l /usr/bin/X
lrwxrwxrwx 1 root root 4 Mär 31 12:14 /usr/bin/X -> Xorg
% ls -l /usr/bin/Xorg
-rwxr-xr-x 1 root root 274 Mär 31 12:14 /usr/bin/Xorg
Still for Plasma the X server is started with full root privileges:
% ps aux | grep '[X]org'
root 2570 3.4 0.9 878916 150504 tty7 Ssl+ Jun03 35:44 /usr/lib/xorg/Xorg -nolisten tcp -auth /var/run/sddm/{3fa9520f-d081-42c7-8c59-63a42a7d91e0} -background none -noreset -displayfd 17 -seat seat0 vt7
Despite I believe all requirements on this system to be met. Also
'xserver-xorg-legacy' package is not installed:
% dpkg -l | grep xserver-xorg | cut -c1-78
ii xserver-xorg-core 2:1.20.8-2
ii xserver-xorg-input-libinput 0.29.0-1
ii xserver-xorg-input-wacom 0.34.99.1-1+b1
ii xserver-xorg-video-intel 2:2.99.917+git20200226-1
What is missing?
I did find next to no documentation about this.
Here the NEWS entry:
xorg-server (2:1.17.3-1) unstable; urgency=medium
The Xorg server is no longer setuid root by default. This change reduces the
risk of privilege escalation due to X server bugs, but has some side effects:
* it relies on logind and libpam-systemd
* it relies on a kernel video driver (so the userspace component doesn't
touch the hardware directly)
* it needs X to run on the virtual console (VT) it was started from
* it changes the location for storing the Xorg log from /var/log/ to
~/.local/share/xorg/
On systems where those are not available, the new xserver-xorg-legacy package
is needed to allow X to run with elevated privileges. See the
Xwrapper.config(5) manual page for configuration details.
-- Julien Cristau <[…]> Tue, 27 Oct 2015 22:54:11 +0000
Thanks,
--
Martin
Reply to: