best practices for running Xorg as non-root?
Hi,
just out of curiosity I tried running Xorg as non-root on my
freerunner (armel). I was surprised that it worked since this feature
does not seem to be advertised much.
The details are below. Please let me know if there are any existing
plans on supporting running Xorg as non-root in debian.
1) My xorg.conf is
$ cat /etc/X11/xorg.conf
Section "Device"
Identifier "Configured Video Device"
Driver "fbdev"
EndSection
Section "ServerLayout"
Identifier "Default Layout"
Screen 0 "Screen0" 0 0
InputDevice "Mouse0" "CorePointer"
InputDevice "power"
EndSection
Section "InputDevice"
Identifier "Mouse0"
Driver "tslib"
Option "Device" "/dev/input/event1"
Option "Width" "480"
Option "Height" "640"
EndSection
Section "InputDevice"
Identifier "power"
Driver "evdev"
Option "Device" "/dev/input/event0"
EndSection
Section "Monitor"
Identifier "Monitor0"
VendorName "Monitor Vendor"
DisplaySize 200 200
EndSection
Section "Device"
Identifier "Videocard0"
Driver "fbdev"
EndSection
Section "Screen"
Identifier "Screen0"
Device "Videocard0"
Monitor "Monitor0"
DefaultDepth 16
EndSection
Section "ServerFlags"
Option "AutoAddDevices" "False"
EndSection
2) I created a new user and group for Xorg, should this be
standardized in Debian?
sudo addgroup --system xorg
sudo adduser --system --no-create-home --home /var/run/xorg --disabled-password --ingroup xorg xorg
3) I created a new directory for logs since I do not want to make
/var/log writable by xorg user.
sudo mkdir /var/log/xorg
sudo chown xorg:xorg /var/log/xorg
4) I granted Xorg access the framebuffer and relevant virtual consoles
sudo chown xorg /dev/tty0
sudo chown xorg /dev/tty2
sudo chown xorg /dev/tty7
sudo chown xorg /dev/input/event0
sudo chown xorg /dev/input/event1
sudo chown xorg /dev/fb0
5) I removed all the root-owned cruft from /tmp
sudo rm -fr /tmp/.X0-lock
sudo rm -fr /tmp/.X11-unix
6) I was able to run Xorg manually with
sudo -u xorg Xorg -logfile /var/log/xorg/Xorg.0.log
Integration with xdm was bit tricky. I ended up with a wrapper
/usr/local/bin/non-root-X that does
#!/bin/sh
chown xorg /var/lib/xdm/authdir
chown xorg /var/lib/xdm/authdir/authfiles
chown xorg /var/lib/xdm/authdir/authfiles/*
exec sudo -u xorg Xorg -logfile /var/log/xorg/Xorg.0.log "$@"
so that I can simply have
:0 local /usr/local/bin/non-root-X :0 vt7 -nolisten tcp
in /etc/X11/xdm/Xservers. Just for completeness, here's the contents
of /var/log/xorg/Xorg.0.log:
_XSERVTransmkdir: Owner of /tmp/.X11-unix should be set to root
X.Org X Server 1.7.7
Release Date: 2010-05-04
X Protocol Version 11, Revision 0
Build Operating System: Linux 2.6.32 armv5tel Debian
Current Operating System: Linux ginger 2.6.29-GTA02_lindi2-andy-tracking-mokodev #4 Tue Aug 17 23:10:12 EEST 2010 armv4tl
Kernel command line: loglevel=4 console=tty0 console=ttySAC2,115200 init=/sbin/init ro mtdparts=physmap-flash:-(nor);neo1973-nand:0x00040000(qi),0x00040000(depr-ub-env),0x00800000(kernel),0x000a0000(depr),0x00040000(identity-ext2),0x0f6a0000(rootfs) g_ether.host_addr=00:1F:11:01:1F:6B g_ether.dev_addr=00:1F:11:01:1F:6B root=/dev/mmcblk0p1 rootdelay=1 rootdelay=1 panic=20 mem=127M root=/dev/mmcblk0p2 loglevel=8
Build Date: 24 August 2010 03:05:51PM
xorg-server 2:1.7.7-4 (Julien Cristau <jcristau@debian.org>)
Current version of pixman: 0.16.4
Before reporting problems, check http://wiki.x.org
to make sure that you have the latest version.
Markers: (--) probed, (**) from config file, (==) default setting,
(++) from command line, (!!) notice, (II) informational,
(WW) warning, (EE) error, (NI) not implemented, (??) unknown.
(++) Log file: "/var/log/xorg/Xorg.0.log", Time: Mon Sep 6 11:46:24 2010
(==) Using config file: "/etc/X11/xorg.conf"
(==) Using system config directory "/usr/share/X11/xorg.conf.d"
(==) ServerLayout "Default Layout"
(**) |-->Screen "Screen0" (0)
(**) | |-->Monitor "Monitor0"
(**) | |-->Device "Videocard0"
(**) |-->Input Device "Mouse0"
(**) |-->Input Device "power"
(**) Option "AutoAddDevices" "False"
(**) Not automatically adding devices
(==) Automatically enabling devices
(WW) The directory "/usr/share/fonts/X11/cyrillic" does not exist.
Entry deleted from font path.
(WW) The directory "/usr/share/fonts/X11/100dpi/" does not exist.
Entry deleted from font path.
(WW) The directory "/usr/share/fonts/X11/75dpi/" does not exist.
Entry deleted from font path.
(WW) The directory "/usr/share/fonts/X11/Type1" does not exist.
Entry deleted from font path.
(WW) The directory "/usr/share/fonts/X11/100dpi" does not exist.
Entry deleted from font path.
(WW) The directory "/usr/share/fonts/X11/75dpi" does not exist.
Entry deleted from font path.
(WW) The directory "/var/lib/defoma/x-ttcidfont-conf.d/dirs/TrueType" does not exist.
Entry deleted from font path.
(==) FontPath set to:
/usr/share/fonts/X11/misc,
built-ins
(==) ModulePath set to "/usr/lib/xorg/modules"
(==) |-->Input Device "<default keyboard>"
(==) The core keyboard device wasn't specified explicitly in the layout.
Using the default keyboard configuration.
(II) Loader magic: 0x1a7ba0
(II) Module ABI versions:
X.Org ANSI C Emulation: 0.4
X.Org Video Driver: 6.0
X.Org XInput driver : 7.0
X.Org Server Extension : 2.0
(++) using VT number 7
(WW) xf86OpenConsole: setpgid failed: Operation not permitted
(WW) xf86OpenConsole: setsid failed: Operation not permitted
(II) LoadModule: "extmod"
(II) Loading /usr/lib/xorg/modules/extensions/libextmod.so
(II) Module extmod: vendor="X.Org Foundation"
compiled for 1.7.7, module version = 1.0.0
Module class: X.Org Server Extension
ABI class: X.Org Server Extension, version 2.0
(II) Loading extension SELinux
(II) Loading extension MIT-SCREEN-SAVER
(II) Loading extension XFree86-VidModeExtension
(II) Loading extension XFree86-DGA
(II) Loading extension DPMS
(II) Loading extension XVideo
(II) Loading extension XVideo-MotionCompensation
(II) Loading extension X-Resource
(II) LoadModule: "dbe"
(II) Loading /usr/lib/xorg/modules/extensions/libdbe.so
(II) Module dbe: vendor="X.Org Foundation"
compiled for 1.7.7, module version = 1.0.0
Module class: X.Org Server Extension
ABI class: X.Org Server Extension, version 2.0
(II) Loading extension DOUBLE-BUFFER
(II) LoadModule: "glx"
(II) Loading /usr/lib/xorg/modules/extensions/libglx.so
(II) Module glx: vendor="X.Org Foundation"
compiled for 1.7.7, module version = 1.0.0
ABI class: X.Org Server Extension, version 2.0
(==) AIGLX enabled
(II) Loading extension GLX
(II) LoadModule: "record"
(II) Loading /usr/lib/xorg/modules/extensions/librecord.so
(II) Module record: vendor="X.Org Foundation"
compiled for 1.7.7, module version = 1.13.0
Module class: X.Org Server Extension
ABI class: X.Org Server Extension, version 2.0
(II) Loading extension RECORD
(II) LoadModule: "dri"
(II) Loading /usr/lib/xorg/modules/extensions/libdri.so
(II) Module dri: vendor="X.Org Foundation"
compiled for 1.7.7, module version = 1.0.0
ABI class: X.Org Server Extension, version 2.0
(II) Loading extension XFree86-DRI
(II) LoadModule: "dri2"
(II) Loading /usr/lib/xorg/modules/extensions/libdri2.so
(II) Module dri2: vendor="X.Org Foundation"
compiled for 1.7.7, module version = 1.1.0
ABI class: X.Org Server Extension, version 2.0
(II) Loading extension DRI2
(II) LoadModule: "fbdev"
(II) Loading /usr/lib/xorg/modules/drivers/fbdev_drv.so
(II) Module fbdev: vendor="X.Org Foundation"
compiled for 1.7.6.901, module version = 0.4.2
ABI class: X.Org Video Driver, version 6.0
(II) LoadModule: "tslib"
(II) Loading /usr/lib/xorg/modules/input/tslib_drv.so
(II) Module tslib: vendor="X.Org Foundation"
compiled for 1.7.7, module version = 0.0.1
Module class: X.Org XInput Driver
ABI class: X.Org XInput driver, version 7.0
(II) LoadModule: "evdev"
(II) Loading /usr/lib/xorg/modules/input/evdev_drv.so
(II) Module evdev: vendor="X.Org Foundation"
compiled for 1.7.6.901, module version = 2.3.2
Module class: X.Org XInput Driver
ABI class: X.Org XInput driver, version 7.0
(II) LoadModule: "kbd"
(WW) Warning, couldn't open module kbd
(II) UnloadModule: "kbd"
(EE) Failed to load module "kbd" (module does not exist, 0)
(II) FBDEV: driver for framebuffer: fbdev
(WW) Falling back to old probe method for fbdev
(II) Loading sub module "fbdevhw"
(II) LoadModule: "fbdevhw"
(II) Loading /usr/lib/xorg/modules/linux/libfbdevhw.so
(II) Module fbdevhw: vendor="X.Org Foundation"
compiled for 1.7.7, module version = 0.0.2
ABI class: X.Org Video Driver, version 6.0
(II) FBDEV(0): using default device
(WW) VGA arbiter: cannot open kernel arbiter, no multi-card support
(II) Running in FRAMEBUFFER Mode
(II) FBDEV(0): Creating default Display subsection in Screen section
"Screen0" for depth/fbbpp 16/16
(**) FBDEV(0): Depth 16, (--) framebuffer bpp 16
(==) FBDEV(0): RGB weight 565
(==) FBDEV(0): Default visual is TrueColor
(==) FBDEV(0): Using gamma correction (1.0, 1.0, 1.0)
(II) FBDEV(0): hardware: SMedia Glamo (video memory: 4096kB)
(II) FBDEV(0): checking modes against framebuffer device...
(II) FBDEV(0): checking modes against monitor...
(--) FBDEV(0): Virtual size is 480x640 (pitch 480)
(**) FBDEV(0): Built-in mode "current": 24.5 MHz, 47.9 kHz, 72.5 Hz
(II) FBDEV(0): Modeline "current"x0.0 24.50 480 496 504 512 640 656 658 660 -hsync -vsync -csync (47.9 kHz)
(**) FBDEV(0): Display dimensions: (200, 200) mm
(**) FBDEV(0): DPI set to (60, 81)
(II) Loading sub module "fb"
(II) LoadModule: "fb"
(II) Loading /usr/lib/xorg/modules/libfb.so
(II) Module fb: vendor="X.Org Foundation"
compiled for 1.7.7, module version = 1.0.0
ABI class: X.Org ANSI C Emulation, version 0.4
(**) FBDEV(0): using shadow framebuffer
(II) Loading sub module "shadow"
(II) LoadModule: "shadow"
(II) Loading /usr/lib/xorg/modules/libshadow.so
(II) Module shadow: vendor="X.Org Foundation"
compiled for 1.7.7, module version = 1.1.0
ABI class: X.Org ANSI C Emulation, version 0.4
(==) FBDEV(0): Backing store disabled
(==) FBDEV(0): DPMS enabled
(==) RandR enabled
(II) Initializing built-in extension Generic Event Extension
(II) Initializing built-in extension SHAPE
(II) Initializing built-in extension MIT-SHM
(II) Initializing built-in extension XInputExtension
(II) Initializing built-in extension XTEST
(II) Initializing built-in extension BIG-REQUESTS
(II) Initializing built-in extension SYNC
(II) Initializing built-in extension XKEYBOARD
(II) Initializing built-in extension XC-MISC
(II) Initializing built-in extension XINERAMA
(II) Initializing built-in extension XFIXES
(II) Initializing built-in extension RENDER
(II) Initializing built-in extension RANDR
(II) Initializing built-in extension COMPOSITE
(II) Initializing built-in extension DAMAGE
SELinux: Disabled on system, not enabling in X server
(II) AIGLX: Screen 0 is not DRI2 capable
(II) AIGLX: Screen 0 is not DRI capable
(EE) AIGLX error: dlopen of /usr/lib/dri/swrast_dri.so failed (/usr/lib/dri/swrast_dri.so: cannot open shared object file: No such file or directory)
(EE) GLX: could not load software renderer
(II) GLX: no usable GL providers found for screen 0
(**) Option "CorePointer"
(**) Mouse0: always reports core events
(**) Option "Width" "480"
(**) Option "Height" "640"
(II) XINPUT: Adding extended input device "Mouse0" (type: TOUCHSCREEN)
xf86TslibControlProc
xf86TslibControlProc
(**) power: always reports core events
(**) power: Device: "/dev/input/event0"
(II) power: Found keys
(II) power: Configuring as keyboard
(II) XINPUT: Adding extended input device "power" (type: KEYBOARD)
(**) Option "xkb_rules" "evdev"
(**) Option "xkb_model" "evdev"
(**) Option "xkb_layout" "us"
(II) LoadModule: "kbd"
(WW) Warning, couldn't open module kbd
(II) UnloadModule: "kbd"
(EE) Failed to load module "kbd" (module does not exist, 0)
(EE) No input driver matching `kbd'
config/udev: failed to bind the udev monitor
[config] failed to initialise udev
Reply to: