Mailing List Archive

xorg-server[elogind,-suid] and starting additional Xorg session from running Xorg session
Hi.

I've tried using xorg-server[elogind,-suid] and got an issue.

With x11-base/xorg-server-1.20.8[elogind,suid] I could just do "sudo -i
-u another-user DISPLAY= XAUTHORITY= startx $application $app_args --
:$nextdisplay" from running X11 session and get myself a separate new
X11 session running from different user.

With x11-base/xorg-server-1.20.8-r1[elogind,suid] it is also possible to
do this if line 'allowed_users = anybody' is added to file
'/etc/X11/X11/Xwrapper.config'.

But with x11-base/xorg-server-1.20.8-r1[elogind,-suid] I couldn't make a
similar setup to work. I've tried adding options '-keeptty' or 'vt?' or
both, but all I get are errors like these:

Fatal server error:
(EE) parse_vt_settings: Cannot open /dev/tty0 (Permission denied)

or

Fatal server error:
(EE) xf86OpenConsole: Cannot open virtual console 5 (Permission denied)


Is it possible to make setup like this work with elogind without suid?
Re: xorg-server[elogind,-suid] and starting additional Xorg session from running Xorg session [ In reply to ]
On Thu, Jul 23, 2020 at 03:15:04PM +0300, i.Dark_Templar wrote
> Hi.
>
> I've tried using xorg-server[elogind,-suid] and got an issue.

I know this may sound too simple, but did you update world? News item
https://www.gentoo.org/support/news-items/2020-06-24-xorg-server-dropping-default-suid.html
says...

> to globally enable 'elogind' USE flag and update the system
>
> # emerge --newuse @world
>
> Afterwards, one will need to re-login, so the PAM can assign a
> seat. One can confirm that a seat has been assigned upon login
> by running:
>
> $ loginctl user-status

--
Walter Dnes <waltdnes@waltdnes.org>
I don't run "desktop environments"; I run useful applications
Re: xorg-server[elogind,-suid] and starting additional Xorg session from running Xorg session [ In reply to ]
23.07.2020 19:05, Walter Dnes ?????:
> On Thu, Jul 23, 2020 at 03:15:04PM +0300, i.Dark_Templar wrote
>> Hi.
>>
>> I've tried using xorg-server[elogind,-suid] and got an issue.
>
> I know this may sound too simple, but did you update world? News item
> https://www.gentoo.org/support/news-items/2020-06-24-xorg-server-dropping-default-suid.html
> says...
>

Yes, of course. I usually do 'emerge -avuDN system world', and I have
following options in make.conf:

EMERGE_DEFAULT_OPTS="--with-bdeps=y --binpkg-respect-use=y
--autounmask=n --complete-graph=y --keep-going"

And I did following sequence after emerging xorg-server with different
USE-flags before testing it: logout out of X11 session, login into
console session as root, restart xdm service (restart sddm), login into
KDE session via SDDM. KDE session works fine, but I can't start one more
X11 session from it.

While I didn't test it, I guess X11 session could be started fine from
user if you login into a console session (text-only session), but when I
try to start one more X11 session from already running X11 session, I
hit insufficient permissions error.

>> to globally enable 'elogind' USE flag and update the system
>>
>> # emerge --newuse @world
>>
>> Afterwards, one will need to re-login, so the PAM can assign a
>> seat. One can confirm that a seat has been assigned upon login
>> by running:
>>
>> $ loginctl user-status
>

As far as I can see elogind works fine for me in usual scenario: login
via SDDM.
Re: xorg-server[elogind,-suid] and starting additional Xorg session from running Xorg session [ In reply to ]
On Thu, 2020-07-23 at 19:24 +0300, i.Dark_Templar wrote:
> 23.07.2020 19:05, Walter Dnes ?????:
>
> > On Thu, Jul 23, 2020 at 03:15:04PM +0300, i.Dark_Templar wrote
> > > Hi.
> > > I've tried using xorg-server[elogind,-suid] and got an issue.
> > I know this may sound too simple, but did you update world? News item
> > https://www.gentoo.org/support/news-items/2020-06-24-xorg-server-dropping-default-suid.html
> > says...
>
>
> Yes, of course. I usually do 'emerge -avuDN system world'

I may be way off base, but would the changed-use flag (-U / --changed-
use) have been needed in order to apply this change?
Re: xorg-server[elogind,-suid] and starting additional Xorg session from running Xorg session [ In reply to ]
23.07.2020 19:29, Matt Connell (Gmail) ?????:
> On Thu, 2020-07-23 at 19:24 +0300, i.Dark_Templar wrote:
>> 23.07.2020 19:05, Walter Dnes ?????:
>>
>>> On Thu, Jul 23, 2020 at 03:15:04PM +0300, i.Dark_Templar wrote
>>>> Hi.
>>>> I've tried using xorg-server[elogind,-suid] and got an issue.
>>> I know this may sound too simple, but did you update world? News item
>>> https://www.gentoo.org/support/news-items/2020-06-24-xorg-server-dropping-default-suid.html
>>> says...
>>
>>
>> Yes, of course. I usually do 'emerge -avuDN system world'
>
> I may be way off base, but would the changed-use flag (-U / --changed-
> use) have been needed in order to apply this change?
>
>

I'm using --newuse (-N). According to 'man emerge', --newuse and
--changed-use are pretty similar, but if disabled USE-flag is added or
removed for package without version change, --changed-use does not
trigger rebuild of package.

Anyway, I just tried running 'emerge -avuUDN system world', and it
reported 'Nothing to merge'.
Re: xorg-server[elogind,-suid] and starting additional Xorg session from running Xorg session [ In reply to ]
i.Dark_Templar wrote:
> 23.07.2020 19:29, Matt Connell (Gmail) ?????:
>> On Thu, 2020-07-23 at 19:24 +0300, i.Dark_Templar wrote:
>>> 23.07.2020 19:05, Walter Dnes ?????:
>>>
>>>> On Thu, Jul 23, 2020 at 03:15:04PM +0300, i.Dark_Templar wrote
>>>>> Hi.
>>>>> I've tried using xorg-server[elogind,-suid] and got an issue.
>>>> I know this may sound too simple, but did you update world? News item
>>>> https://www.gentoo.org/support/news-items/2020-06-24-xorg-server-dropping-default-suid.html
>>>> says...
>>>
>>> Yes, of course. I usually do 'emerge -avuDN system world'
>> I may be way off base, but would the changed-use flag (-U / --changed-
>> use) have been needed in order to apply this change?
>>
>>
> I'm using --newuse (-N). According to 'man emerge', --newuse and
> --changed-use are pretty similar, but if disabled USE-flag is added or
> removed for package without version change, --changed-use does not
> trigger rebuild of package.
>
> Anyway, I just tried running 'emerge -avuUDN system world', and it
> reported 'Nothing to merge'.
>
>


Just a FYI.  If you put world as a set, you can leave out system.  The
world set will pull in the system set so it will save you some typing. 

Just a thought.

Dale
Re: xorg-server[elogind,-suid] and starting additional Xorg session from running Xorg session [ In reply to ]
On Thu, 23 Jul 2020 19:38:21 +0300, i.Dark_Templar wrote:

> I'm using --newuse (-N). According to 'man emerge', --newuse and
> --changed-use are pretty similar, but if disabled USE-flag is added or
> removed for package without version change, --changed-use does not
> trigger rebuild of package.

That's not quite right. The difference is that --changed-use won't
trigger a rebuild if the change of use flag makes no difference on your
settings whereas --newuse will always rebuild for a changed flag. It has
noting to sdo with version changes, which will always case a rebuild
because you are using -u.


--
Neil Bothwick

Adolescence, n.: The stage between puberty and adultery.
Re: xorg-server[elogind,-suid] and starting additional Xorg session from running Xorg session [ In reply to ]
On Thu, 23 Jul 2020 15:15:04 +0300, i.Dark_Templar wrote:

> With x11-base/xorg-server-1.20.8[elogind,suid] I could just do "sudo -i
> -u another-user DISPLAY= XAUTHORITY= startx $application $app_args --
> :$nextdisplay" from running X11 session and get myself a separate new
> X11 session running from different user.
>
> With x11-base/xorg-server-1.20.8-r1[elogind,suid] it is also possible to
> do this if line 'allowed_users = anybody' is added to file
> '/etc/X11/X11/Xwrapper.config'.
>
> But with x11-base/xorg-server-1.20.8-r1[elogind,-suid] I couldn't make a
> similar setup to work. I've tried adding options '-keeptty' or 'vt?' or
> both, but all I get are errors like these:
>
> Fatal server error:
> (EE) parse_vt_settings: Cannot open /dev/tty0 (Permission denied)

Is your new user a member of the tty group?


--
Neil Bothwick

Old hitchhikers never die-they just throw in the towel.
Re: xorg-server[elogind,-suid] and starting additional Xorg session from running Xorg session [ In reply to ]
23.07.2020 22:25, Neil Bothwick ?????:
> On Thu, 23 Jul 2020 15:15:04 +0300, i.Dark_Templar wrote:
>
>> With x11-base/xorg-server-1.20.8[elogind,suid] I could just do "sudo -i
>> -u another-user DISPLAY= XAUTHORITY= startx $application $app_args --
>> :$nextdisplay" from running X11 session and get myself a separate new
>> X11 session running from different user.
>>
>> With x11-base/xorg-server-1.20.8-r1[elogind,suid] it is also possible to
>> do this if line 'allowed_users = anybody' is added to file
>> '/etc/X11/X11/Xwrapper.config'.
>>
>> But with x11-base/xorg-server-1.20.8-r1[elogind,-suid] I couldn't make a
>> similar setup to work. I've tried adding options '-keeptty' or 'vt?' or
>> both, but all I get are errors like these:
>>
>> Fatal server error:
>> (EE) parse_vt_settings: Cannot open /dev/tty0 (Permission denied)
>
> Is your new user a member of the tty group?
>
>

No. Should I add every user I wish to allow running Xorg without suid in
such setup to tty group? I don't like such idea. Currently, there are no
users in this group. Granting a user permissions to control every tty
looks like an overkill and an insecure setting.

I'm not trying to fix this setup at any cost. I'm trying to figure out
if it's possible to do this without suid and I'm just missing something,
or if I should stick to suid for my use-case.