Xorg without root rights
Summary
The Xorg xserver is a large piece of software which currently runs as root, making it a potential vector for attacks against the system. With recent changes made to systemd-logind it is possible for the xserver to let systemd-logind do device management for it, at which point the xserver will no longer need root rights. Initially this will likely be implemented as the xserver dropping root rights early on.
Owner
- Name: Hans de Goede, graphics team
- Email: hdegoede@redhat.com
- Release notes owner:
Current status
- Targeted release: Fedora 21
- Last updated: December 18th 2013
- Tracker bug: <will be assigned by the Wrangler>
Detailed Description
Currently work is in progress upstream to add systemd-logind integration to the xserver, this is expected to land for 1.16, which is expected to be the xserver with which Fedora 21 will ship. In order for the xserver to be able to run as a systemd-logind session controller it will need to be started inside a (pam) user-session, this will require changes to apps starting the xserver, specifically to display-managers such as gdm.
Benefit to Fedora
Having the xserver not run as root reduces Fedora's atttack surface.
Scope
In order for the xserver to be able to run as a systemd-logind session controller it will need to be started inside a (pam) user-session, this will require changes to apps starting the xserver, specifically to display-managers such as gdm. This is already being coordinated with gdm and other display-managers. For Fedora 21 there likely will be a fallback mode where the xserver will do the device-management itself when not started from a display-manager which starts it inside a user-session.
- Proposal owners:
Make the xserver run properly as non-root, or drop root rights early on
- Other developers:
Display manager developers may need to make changes to how the xserver is started, so that it always is started inside a user session. Note this change is also necessary for display managers which want to support wayland, as wayland must always be started like this.
- Release engineering: N/A
- Policies and guidelines: N/A
Upgrade/compatibility impact
This should not need any special handling in the upgrade path.
How To Test
1) Install Fedora 21, boot it to the graphical login screen and log in. 2) do "ps aux" notice Xorg is not running as root 3) Use the graphical environment normally, including fast user switching, etc. Everything should work as before.
User Experience
The user experience will be unchanged
Dependencies
This requires display managers, Initial Setup and Anaconda to be modified to properly start Xorg in a user session.
Contingency Plan
- Contingency mechanism: If the necessary Xorg or display manager changes are not ready in time we will keep running Xorg as root
- Contingency deadline: Beta freeze
- Blocks release? No
Documentation
TODO
Release Notes
TODO