non root X

[Serge E. Hallyn]

Quoting Dave Airlie (airlied at redhat.com):
> On Thu, 2009-08-06 at 01:36 -0400, Ben Boeckel wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > 
> > Dave Airlie wrote:
> > 
> > > On Mon, 2009-08-03 at 15:08 +0530, Rahul Sundaram wrote:
> > >> Hi
> > >> 
> > >> A few days back I ran into
> > >> 
> > >> http://lists.x.org/archives/xorg-devel/2009-July/001293.html
> > >> 
> > >> I am wondering, since we are already using KMS in most places 
> > in Fedora,
> > >> how far are we from achieving this by default in a Fedora 
> > release?
> > > 
> > > non-root X is a big security hole at the moment, and until we 
> > get
> > > revoke() support in the kernel, we can probably move X to 
> > running as a
> > > special user, and maybe once we get revoke to running as the 
> > real user.
> > > 
> > > However it doesn't solve the issue how we know we need or 
> > don't need
> > > root since X only figures out what graphics drivers are needed 
> > after
> > > starting, so if you needed a non-kms gpu driver we wouldn't 
> > know
> > > until after we'd started as non-root.
> > > 
> > > Dave.
> > > 
> > 
> > Could permissions be raised temporarily? PolicyKit with 
> > (defaulted) auto-approve to load an appropriate driver?
> 
> 
> Maybe we could do something with SELinux, but I don't think
> we can do anything without getting revoke. or maybe some
> process capabilties if such things worked.

The non-kms drivers could carry fe=on,fI=CAP_SYS_RAWIO (or whatever
they need) and userids or groups allowed to run X could get pI=CAP_SYS_RAWIO
at login through pam_cap.so.

If you also make the x driver setuid-root, then on filesystems (like
NFS) or kernels which don't support file capabilities, it'll run setuid
root as it does now, while if file caps are supported then it should run
as the calling user with just the granted capabilities.

-serge