(Anaconda and Initial Setup will require changes as well) |
(Move it to Fedora 22, see tracking bug for more details) |
||
(10 intermediate revisions by 3 users not shown) | |||
Line 10: | Line 10: | ||
== Current status == | == Current status == | ||
* Targeted release: [[Releases/ | * Targeted release: [[Releases/22 | Fedora 22]] | ||
* Last updated: December 18th 2013 | * Last updated: December 18th 2013 | ||
* Tracker bug: | * Tracker bug: [https://bugzilla.redhat.com/show_bug.cgi?id=1078902 #1078902] | ||
== Detailed Description == | == Detailed Description == | ||
Line 18: | Line 18: | ||
== Benefit to Fedora == | == Benefit to Fedora == | ||
Having the xserver not run as root reduces Fedora's | Having the xserver not run as root reduces Fedora's attack surface. | ||
== Scope == | == Scope == | ||
Line 47: | Line 47: | ||
== Dependencies == | == Dependencies == | ||
This requires display managers, Initial Setup and Anaconda to be modified to properly start Xorg in a user session. | This requires display managers, Initial Setup and Anaconda to be modified to properly start Xorg in a user session. | ||
Status: | |||
# Xorg server and driver changes, server code mostly upstream, drivers wip: 90% | |||
# display managers, per product / spin: | |||
## Desktop product: gdm, Ray Strode is working on this: ?% [https://bugzilla.redhat.com/show_bug.cgi?id=1078789 bug] | |||
## KDE spin: ssdm, Martin Bříza is working on this: ?% [https://bugzilla.redhat.com/show_bug.cgi?id=1078810 bug] | |||
## XFCE spin: ?, contacted Christoph Wickert about this: %? [https://bugzilla.redhat.com/show_bug.cgi?id=1078808 lightdm bug] | |||
## LXDE spin: ?, contacted Christoph Wickert about this: %? [https://bugzilla.redhat.com/show_bug.cgi?id=1078808 lightdm bug] | |||
## Mate spin: ?, contacted Dan Mashal about this: %? [https://bugzilla.redhat.com/show_bug.cgi?id=1078808 lightdm bug] | |||
# anaconda and initial-setup, contacted the anaconda-team about this | |||
== Contingency Plan == | == Contingency Plan == | ||
* Contingency mechanism: If the necessary Xorg or | * Contingency mechanism: | ||
# If the necessary Xorg or anaconda + initial setup changes are not ready in time we will keep running Xorg as root | |||
# Xorg upstream will come with a suid-root helper to keep things working with non kms drivers, its detection if root is needed can be overwritten by a config-file, if not all dms are ready, we can flip the helpers default to keep the xserver running as root by default, and spins which are ready can override this from the config file so that they do get the benefits (or we could put the burden on the not ready spins to drop a config file forcing running as root). | |||
* Contingency deadline: Beta freeze | * Contingency deadline: Beta freeze | ||
* Blocks release? No | * Blocks release? No | ||
Line 59: | Line 72: | ||
TODO | TODO | ||
[[Category: | [[Category:ChangePageIncomplete]] | ||
[[Category:SystemWideChange]] | [[Category:SystemWideChange]] |
Latest revision as of 11:06, 4 July 2014
Xorg without root rights
Summary
The Xorg xserver is a large piece of software which currently runs as root, making it a potential vector for attacks against the system. With recent changes made to systemd-logind it is possible for the xserver to let systemd-logind do device management for it, at which point the xserver will no longer need root rights. Initially this will likely be implemented as the xserver dropping root rights early on.
Owner
- Name: Hans de Goede, graphics team
- Email: hdegoede@redhat.com
- Release notes owner:
Current status
Detailed Description
Currently work is in progress upstream to add systemd-logind integration to the xserver, this is expected to land for 1.16, which is expected to be the xserver with which Fedora 21 will ship. In order for the xserver to be able to run as a systemd-logind session controller it will need to be started inside a (pam) user-session, this will require changes to apps starting the xserver, specifically to display-managers such as gdm.
Benefit to Fedora
Having the xserver not run as root reduces Fedora's attack surface.
Scope
In order for the xserver to be able to run as a systemd-logind session controller it will need to be started inside a (pam) user-session, this will require changes to apps starting the xserver, specifically to display-managers such as gdm. This is already being coordinated with gdm and other display-managers. For Fedora 21 there likely will be a fallback mode where the xserver will do the device-management itself when not started from a display-manager which starts it inside a user-session.
- Proposal owners:
Make the xserver run properly as non-root, or drop root rights early on
- Other developers:
Display manager developers may need to make changes to how the xserver is started, so that it always is started inside a user session. Note this change is also necessary for display managers which want to support wayland, as wayland must always be started like this.
- Release engineering: N/A
- Policies and guidelines: N/A
Upgrade/compatibility impact
This should not need any special handling in the upgrade path.
How To Test
1) Install Fedora 21, boot it to the graphical login screen and log in. 2) do "ps aux" notice Xorg is not running as root 3) Use the graphical environment normally, including fast user switching, etc. Everything should work as before.
User Experience
The user experience will be unchanged
Dependencies
This requires display managers, Initial Setup and Anaconda to be modified to properly start Xorg in a user session.
Status:
- Xorg server and driver changes, server code mostly upstream, drivers wip: 90%
- display managers, per product / spin:
- Desktop product: gdm, Ray Strode is working on this: ?% bug
- KDE spin: ssdm, Martin Bříza is working on this: ?% bug
- XFCE spin: ?, contacted Christoph Wickert about this: %? lightdm bug
- LXDE spin: ?, contacted Christoph Wickert about this: %? lightdm bug
- Mate spin: ?, contacted Dan Mashal about this: %? lightdm bug
- anaconda and initial-setup, contacted the anaconda-team about this
Contingency Plan
- Contingency mechanism:
- If the necessary Xorg or anaconda + initial setup changes are not ready in time we will keep running Xorg as root
- Xorg upstream will come with a suid-root helper to keep things working with non kms drivers, its detection if root is needed can be overwritten by a config-file, if not all dms are ready, we can flip the helpers default to keep the xserver running as root by default, and spins which are ready can override this from the config file so that they do get the benefits (or we could put the burden on the not ready spins to drop a config file forcing running as root).
- Contingency deadline: Beta freeze
- Blocks release? No
Documentation
TODO
Release Notes
TODO