200621 Matt Turner wrote: > On Sun, Jun 21, 2020 at 4:53 PM Philip Webb <purs...@ca.inter.net> wrote: >> I've been running xorg-server as root for > 16 yr without any problems. >> AFAIK there are no problems re exploits via I/net browsers, >> which are started by my user as all such user software always is. >> What might go wrong, if I continue to 'startx' >> with 'xorg-server' merged with 'suid -elogind' >> & without the '.xinitrc' line show above in the Wiki ? > For the majority of users -- those that use a graphics driver > with kernel modesetting support -- , X only needs root access > for a small set of things : accessing the DRM device node, > accessing the input device nodes and some stuff around VTs. > The rest of the time, X doesn't need root access. > With elogind, those bits are handled in a small daemon > and X no longer needs to run as root. Most people find that valuable, > especially with the knowledge that there have been > a number of security vulnerabilities that would allow arbitrary code > execution in the xserver over the years [1].
The latest of those was announced in 2018 & all of them seem to involve privilege escalation by local users ; those marked 'remote' all seem to be via off-site logins. There doesn't appear ever to have been a genuine remote threat, so single-user systems have never been threatened by xorg-server as root. > [1] > https://www.cvedetails.com/vulnerability-list/vendor_id-88/product_id-8600/X.org-Xorg-server.html So i ask again : Why is running 'xorg-server' as root "heavily discouraged" ? There was a similar issue a few years ago, when the game Nethack was threatened with removal from Gentoo due to a security problem which affected only multi-user systems. Is there any difference in this case of xorg-server ? -- ========================,,============================================ SUPPORT ___________//___, Philip Webb ELECTRIC /] [] [] [] [] []| Cities Centre, University of Toronto TRANSIT `-O----------O---' purslowatcadotinterdotnet
