Mailing List Archive

Hey,

It has some typos. What's the current trend of attaching news items? It
makes hard to point out enhancements.

-- juippis

On 6/21/20 10:22 PM, Piotr Karbowski wrote:
> Hi,
>
> Please find news item attached.
>
> -- Piotr.

On Sunday, 21 June 2020 21:27:02 CEST Joonas Niilola wrote:
> What's the current trend of attaching news items? It
> makes hard to point out enhancements.

Indeed, I didn't even look at the previous mail that was sent like that.

Hi,

Re-sending news item inline.

###

Title: xorg-server dropping default suid
Author: Piotr Karbowski <slashbeast@gentoo.org>
Posted: 2020-06-22
Revision: 1
News-Item-Format: 2.0
Display-If-Installed: x11-base/xorg-server

The Gentoo X11 Team is announcing that starting with 15th of July,
the x11-base/xorg-server will no longer default to suid and will default
to using logind interface instead. This change makes xorg-server run as
regular user rather than root by default, however, those who do not have
any logind interface provider (either systemd or elogind) will need to
enable either to make it possible to run X session as unprivileged user.

No action is required from systemd and desktop profile users, since
systemd provides logind interface, and desktop profile already enables
'elogind' USE flag globally.

Rest of the non-systemd users is required to globally enable 'elogind'
USE flag and apply it by 'emerge --newuse @world', after which, re-login
is required so that PAM can allocate seat.

One can confirm that a seat has been assigned upon login by running:

$ loginctl user-status

Those who for whatever reason want to preserve current state, while
heavily discourage, can still use x11-base/xorg-server with 'suid -elogind'.

On Sun, 2020-06-21 at 22:09 +0200, Piotr Karbowski wrote:
> Hi,
>
> Re-sending news item inline.
>
> ###
>
> Title: xorg-server dropping default suid
> Author: Piotr Karbowski <slashbeast@gentoo.org>
> Posted: 2020-06-22
> Revision: 1
> News-Item-Format: 2.0
> Display-If-Installed: x11-base/xorg-server
>
> The Gentoo X11 Team is announcing that starting with 15th of July,
> the x11-base/xorg-server will no longer default to suid and will default
> to using logind interface instead. This change makes xorg-server run as
> regular user rather than root by default, however, those who do not have
> any logind interface provider (either systemd or elogind) will need to
> enable either to make it possible to run X session as unprivileged user.

No offense but it sounds a little chaotic to me. How about something
like:

Starting 2020-07-15 [use ISO dates, please], x11-base/xorg-server will
default to using logind interface instead of suid by default. It will
result in ... [what? better security?] through running the server
as a regular user instead of root. However, this will require our users
to use a logind provider such as elogind or systemd.

> No action is required from systemd and desktop profile users, since
> systemd provides logind interface, and desktop profile already enables
> 'elogind' USE flag globally.
>
> Rest of the non-systemd users is required to globally enable 'elogind'

The remaining users are ... 'elogind' [or 'systemd'?]

> USE flag and apply it by 'emerge --newuse @world'

Cut sentence here.

> , after which, re-login
> is required so that PAM can allocate seat.

Afterwards, ...

>
> One can confirm that a seat has been assigned upon login by running:
>
> $ loginctl user-status
>
> Those who for whatever reason want to preserve current state, while
> heavily discourage, can still use x11-base/xorg-server with 'suid -elogind'.

'whatever reason' doesn't sound professional. How about:

Users who do not wish to use logind interface can manually reenable
'suid' flag in order to preserve the previous behavior. However, please
note that this is heavily discouraged... [.maybe explain why? also, are
we going to eventually remove it?]

--
Best regards,
Micha? Górny

200621 Piotr Karbowski wrote:
> Title: xorg-server dropping default suid
...
> The Gentoo X11 Team is announcing that starting with 15th of July,
> the x11-base/xorg-server will no longer default to suid
> and will default to using logind interface instead. This change
> makes xorg-server run as regular user rather than root by default,
> however those who do not have any logind interface provider
> -- either systemd or elogind -- will need to enable either
> to make it possible to run X session as unprivileged user.
> No action is required from systemd and desktop profile users,
> since systemd provides logind interface
> and desktop profile already enables 'elogind' USE flag globally.
> Rest of the non-systemd users is required to globally enable
> 'elogind' USE flag and apply it by 'emerge --newuse @world',
> after which, re-login is required so that PAM can allocate seat.
> One can confirm that a seat has been assigned upon login by running:
> $ loginctl user-status
> Those who for whatever reason want to preserve current state,
> while heavily discouraged,
> can still use x11-base/xorg-server with 'suid -elogind'.

Gentoo Wiki says :

elogind is the systemd project's logind, extracted to a standalone package.
It's designed for users who prefer a non-systemd init system,
but still want to use popular software such as KDE/Wayland or GNOME
that otherwise hard-depends on systemd.

startx integration : To have an elogind session created
when using startx to start the X server (instead of a display manager),
add the following to the user's ~/.xinitrc file : FILE ~/.xinitrc
exec dbus-launch --exit-with-session <WINDOW_MANAGER>
WINDOW_MANAGER in the above example needs to be replaced
by a window manager or a single application.

I want to use 'startx' to start X , because I don't want to be trapped
if some problem arises with X or KDE or the login manager
& I need to change config files or remerge pkgs (etc) to rescue myself.
With 'startx' I can do all that work from raw TTYs with no problems,
as I am not forced to go into an X session if I don't want to.

I don't want to use 'systemd', as I want to run a traditional UNIX version
of Linux + KDE (or Fluxbox) for a simple single-user desktop system.

Why is running 'xorg-server' as root "heavily discouraged" ?
-- I've been doing that with Gentoo for > 16 yr without any problems.
AFAIK there are no problems re exploits via I/net browsers,
which are started by my user as all such user software always is.
What might go wrong, if I continue to 'startx'
with 'xorg-server' merged with 'suid -elogind'
& without the '.xinitrc' line show above in the Wiki ?

Are there any other Gentoo users who have the same preferences as me ?

--
========================,,============================================
SUPPORT ___________//___, Philip Webb
ELECTRIC /] [] [] [] [] []| Cities Centre, University of Toronto
TRANSIT `-O----------O---' purslowatcadotinterdotnet

On Sun, Jun 21, 2020 at 4:53 PM Philip Webb <purslow@ca.inter.net> wrote:
>
> 200621 Piotr Karbowski wrote:
> > Title: xorg-server dropping default suid
> ...
> > The Gentoo X11 Team is announcing that starting with 15th of July,
> > the x11-base/xorg-server will no longer default to suid
> > and will default to using logind interface instead. This change
> > makes xorg-server run as regular user rather than root by default,
> > however those who do not have any logind interface provider
> > -- either systemd or elogind -- will need to enable either
> > to make it possible to run X session as unprivileged user.
> > No action is required from systemd and desktop profile users,
> > since systemd provides logind interface
> > and desktop profile already enables 'elogind' USE flag globally.
> > Rest of the non-systemd users is required to globally enable
> > 'elogind' USE flag and apply it by 'emerge --newuse @world',
> > after which, re-login is required so that PAM can allocate seat.
> > One can confirm that a seat has been assigned upon login by running:
> > $ loginctl user-status
> > Those who for whatever reason want to preserve current state,
> > while heavily discouraged,
> > can still use x11-base/xorg-server with 'suid -elogind'.
>
> Gentoo Wiki says :
>
> elogind is the systemd project's logind, extracted to a standalone package.
> It's designed for users who prefer a non-systemd init system,
> but still want to use popular software such as KDE/Wayland or GNOME
> that otherwise hard-depends on systemd.
>
> startx integration : To have an elogind session created
> when using startx to start the X server (instead of a display manager),
> add the following to the user's ~/.xinitrc file : FILE ~/.xinitrc
> exec dbus-launch --exit-with-session <WINDOW_MANAGER>
> WINDOW_MANAGER in the above example needs to be replaced
> by a window manager or a single application.
>
> I want to use 'startx' to start X , because I don't want to be trapped
> if some problem arises with X or KDE or the login manager
> & I need to change config files or remerge pkgs (etc) to rescue myself.
> With 'startx' I can do all that work from raw TTYs with no problems,
> as I am not forced to go into an X session if I don't want to.

Thank you for actually participating in the discussion, unlike the
last thread about this topic.

> I don't want to use 'systemd', as I want to run a traditional UNIX version
> of Linux + KDE (or Fluxbox) for a simple single-user desktop system.
>
> Why is running 'xorg-server' as root "heavily discouraged" ?
> -- I've been doing that with Gentoo for > 16 yr without any problems.
> AFAIK there are no problems re exploits via I/net browsers,
> which are started by my user as all such user software always is.
> What might go wrong, if I continue to 'startx'
> with 'xorg-server' merged with 'suid -elogind'
> & without the '.xinitrc' line show above in the Wiki ?

For the majority of users (those that use a graphics driver with
kernel modesetting support), X only needs root access for a small set
of things: accessing the DRM device node, accessing the input device
nodes, and some stuff around VTs. The rest of the time, X doesn't need
root access but still must run as root for those cases I mention.

With elogind, those bits are handled in a small daemon, and X no
longer needs to run as root. Most people find that to be valuable,
especially with the knowledge that there have been a number of
security vulnerabilities found that would allow arbitrary code
execution in the xserver over the years [1].

Our current default of USE=suid installs /usr/bin/Xorg with the setuid
bit set, allowing it to be run *as root* by any user. This enables
non-root users to execute startx, for example.

I appreciate that Gentoo users are a diverse bunch, to say the least.
This news item is about *defaults*. I'm happy to explain the value of
the new default to people who are genuinely curious but I have no
interest in trying to convince you or anyone else of anything.

You're free to keep the status quo with a single line in
/etc/portage/package.use. The people building and maintaining the
distro think that the new defaults are better defaults for the vast
majority of users, but again they're just defaults.

[1] https://www.cvedetails.com/vulnerability-list/vendor_id-88/product_id-8600/X.org-Xorg-server.html

200621 Matt Turner wrote:
> On Sun, Jun 21, 2020 at 4:53 PM Philip Webb <purslow@ca.inter.net> wrote:
>> I've been running xorg-server as root for > 16 yr without any problems.
>> AFAIK there are no problems re exploits via I/net browsers,
>> which are started by my user as all such user software always is.
>> What might go wrong, if I continue to 'startx'
>> with 'xorg-server' merged with 'suid -elogind'
>> & without the '.xinitrc' line show above in the Wiki ?
> For the majority of users -- those that use a graphics driver
> with kernel modesetting support -- , X only needs root access
> for a small set of things : accessing the DRM device node,
> accessing the input device nodes and some stuff around VTs.
> The rest of the time, X doesn't need root access.
> With elogind, those bits are handled in a small daemon
> and X no longer needs to run as root. Most people find that valuable,
> especially with the knowledge that there have been
> a number of security vulnerabilities that would allow arbitrary code
> execution in the xserver over the years [1].

The latest of those was announced in 2018
& all of them seem to involve privilege escalation by local users ;
those marked 'remote' all seem to be via off-site logins.
There doesn't appear ever to have been a genuine remote threat,
so single-user systems have never been threatened by xorg-server as root.

> [1] https://www.cvedetails.com/vulnerability-list/vendor_id-88/product_id-8600/X.org-Xorg-server.html

So i ask again : Why is running 'xorg-server' as root "heavily discouraged" ?

There was a similar issue a few years ago,
when the game Nethack was threatened with removal from Gentoo
due to a security problem which affected only multi-user systems.
Is there any difference in this case of xorg-server ?

--
========================,,============================================
SUPPORT ___________//___, Philip Webb
ELECTRIC /] [] [] [] [] []| Cities Centre, University of Toronto
TRANSIT `-O----------O---' purslowatcadotinterdotnet

Hi,

On 22/06/2020 06.03, Philip Webb wrote:
[...]
> I don't want to use 'systemd', as I want to run a traditional UNIX version
> of Linux + KDE (or Fluxbox) for a simple single-user desktop system.

Then... don't use systemd? I officially give you my approval for that.
Read what you quoted in your email, elogind is standalone package.

The elogind does work normally in the configuration with OpenRC and startx.

> So i ask again : Why is running 'xorg-server' as root "heavily discouraged" ?
It's common sense to run software with the least privileges they
require, so if new attack vector is discovered, perhaps there will be no
escalation surface to make use of it.

-- Piotr.

200622 Piotr Karbowski wrote:
> On 22/06/2020 06.03, Philip Webb wrote:
> [...]
>> I don't want to use 'systemd', as I want to run a traditional UNIX version
>> of Linux + KDE (or Fluxbox) for a simple single-user desktop system.
> Then... don't use systemd ! I officially give you my approval for that.
> Read what you quoted in your email, elogind is standalone package.
> Elogind does work normally in the configuration with OpenRC and startx.

Ah, it cb used with 'startx', which is vital for me.

>> So again : Why is running 'xorg-server' as root "heavily discouraged" ?
> It's common sense to run software with the least privileges they require,
> so if new attack vector is discovered,
> perhaps there will be no escalation surface to make use of it.

OK, understood. It doesn't look as if there's any genuine danger
in continuing to use 'xorg-server' with 'suid' on my single-user system,
but if it really is as straightforward to use 'elogind' instead,
I may decide to change to that method for the reason you offer.

Thanks for your explanation & to all the devs for their unpaid labors.

--
========================,,============================================
SUPPORT ___________//___, Philip Webb
ELECTRIC /] [] [] [] [] []| Cities Centre, University of Toronto
TRANSIT `-O----------O---' purslowatcadotinterdotnet

On Sun, Jun 21, 2020 at 09:22:37PM +0200, Piotr Karbowski wrote:
> Hi,
>
> Please find news item attached.
I feel that this news item should ALSO remind people that consolekit is
deprecated per a news item a few months ago:

News Item v3: Desktop profile switching USE default to elogind

xorg-server[elogind] forces sys-auth/pambase[elogind]
and users who previously had USE='-systemd -elogind' probably have
USE=consolekit set.

--
Robin Hugh Johnson
Gentoo Linux: Dev, Infra Lead, Foundation Treasurer
E-Mail : robbat2@gentoo.org
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85
GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136

Title: xorg-server dropping default suid
Author: Piotr Karbowski <slashbeast@gentoo.org>
Posted: 2020-06-22
Revision: 2
News-Item-Format: 2.0
Display-If-Installed: x11-base/xorg-server

Starting 2020-07-15, x11-base/xorg-server will default to using the
logind interface instead of suid by default. resulting in better
security by default through running the server as a regular user instead
of root. However, this will require our users to use a logind provider
such as elogind or systemd. The systemd users and those who are not
using systemd but use desktop profiles can stop reading here, as they
already have a logind provider enabled.

Others, who have neither systemd or desktop profiles enabled will be
required to globally enable 'elogind' USE flag and update the system

    # emerge --newuse @world

Afterwards, one will need to re-login, so the PAM can assign a seat. One
can confirm that a seat has been assigned upon login by running:

    $ loginctl user-status

Users who do not wish to use logind interface or have rare hardware that
does not use KMS and because of that, require root privileges to
operate, can manually re-enable 'suid' and disable 'elogind' USE flags
in order to preserve the previous behavior. However, please note that
this is heavily discouraged to run X server as root due to security
reasons. The 'suid' USE flag will remain as optional opt-in for the need
of legacy hardware.

Hi,

On 21/06/2020 22.27, Micha? Górny wrote:
> No offense but it sounds a little chaotic to me.

Which is the reasons we do those reviews. Appreciate the suggestions,
just sent revision 2 as the response to the very first email in this
thread, please check how it looks now.

-- Piotr.

On Sun, Jun 21, 2020 at 10:02:25PM +0200, Andreas Sturmlechner wrote:
> On Sunday, 21 June 2020 21:27:02 CEST Joonas Niilola wrote:
> > What's the current trend of attaching news items? It
> > makes hard to point out enhancements.
>
> Indeed, I didn't even look at the previous mail that was sent like that.

I realize I'm late to this and maybe this is being discussed in another
thread (I'm catching up), but attaching newsitems is the standard way of
getting them reviewed; this is not anything new.

Thanks,

William

On 6/27/20 1:36 PM, William Hubbs wrote:
> On Sun, Jun 21, 2020 at 10:02:25PM +0200, Andreas Sturmlechner wrote:
>> On Sunday, 21 June 2020 21:27:02 CEST Joonas Niilola wrote:
>>> What's the current trend of attaching news items? It
>>> makes hard to point out enhancements.
>>
>> Indeed, I didn't even look at the previous mail that was sent like that.
>
> I realize I'm late to this and maybe this is being discussed in another
> thread (I'm catching up), but attaching newsitems is the standard way of
> getting them reviewed; this is not anything new.
>
> Thanks,
>
> William
>

I think the point being made was that the vast majority of news items
are posted as content inlined in the email as opposed to an attached file.

--
Thanks,

Adam Feldman
Gentoo Developer
NP-Hardass@gentoo.org
0x671C52F118F89C67