From Fedora Project Wiki
(Change Proposal ready for 2014-03-19 FESCo meeting (#1260))
(Move it to Fedora 22, see tracking bug for more details)
 
(5 intermediate revisions by 3 users not shown)
Line 10: Line 10:


== Current status ==
== Current status ==
* Targeted release: [[Releases/21 | Fedora 21]]  
* Targeted release: [[Releases/22 | Fedora 22]]  
* Last updated: December 18th 2013
* Last updated: December 18th 2013
* Tracker bug: <will be assigned by the Wrangler>
* Tracker bug: [https://bugzilla.redhat.com/show_bug.cgi?id=1078902 #1078902]


== Detailed Description ==
== Detailed Description ==
Line 18: Line 18:


== Benefit to Fedora ==
== Benefit to Fedora ==
Having the xserver not run as root reduces Fedora's atttack surface.
Having the xserver not run as root reduces Fedora's attack surface.


== Scope ==
== Scope ==
Line 50: Line 50:
Status:
Status:


# Xorg server and driver changes, server code mostly upstream, drivers wip: 60%
# Xorg server and driver changes, server code mostly upstream, drivers wip: 90%
# display managers, per product / spin:
# display managers, per product / spin:
## Desktop product: gdm, Ray Strode is working on this: ?%
## Desktop product: gdm, Ray Strode is working on this: ?% [https://bugzilla.redhat.com/show_bug.cgi?id=1078789 bug]
## KDE spin: ssdm, Martin Bříza is working on this: ?%
## KDE spin: ssdm, Martin Bříza is working on this: ?% [https://bugzilla.redhat.com/show_bug.cgi?id=1078810 bug]
## XFCE spin: ?, contacted Christoph Wickert about this: %?
## XFCE spin: ?, contacted Christoph Wickert about this: %? [https://bugzilla.redhat.com/show_bug.cgi?id=1078808 lightdm bug]
## LXDE spin: ?, contacted Christoph Wickert about this: %?
## LXDE spin: ?, contacted Christoph Wickert about this: %? [https://bugzilla.redhat.com/show_bug.cgi?id=1078808 lightdm bug]
## Mate spin: ?, contacted Dan Mashal about this: %?
## Mate spin: ?, contacted Dan Mashal about this: %? [https://bugzilla.redhat.com/show_bug.cgi?id=1078808 lightdm bug]
# anaconda and initial-setup, contacted the anaconda-team about this
# anaconda and initial-setup, contacted the anaconda-team about this


Line 72: Line 72:
TODO
TODO


[[Category:ChangeReadyForFesco]]
[[Category:ChangePageIncomplete]]
[[Category:SystemWideChange]]
[[Category:SystemWideChange]]

Latest revision as of 11:06, 4 July 2014

Xorg without root rights

Summary

The Xorg xserver is a large piece of software which currently runs as root, making it a potential vector for attacks against the system. With recent changes made to systemd-logind it is possible for the xserver to let systemd-logind do device management for it, at which point the xserver will no longer need root rights. Initially this will likely be implemented as the xserver dropping root rights early on.

Owner

  • Name: Hans de Goede, graphics team
  • Email: hdegoede@redhat.com
  • Release notes owner:

Current status

Detailed Description

Currently work is in progress upstream to add systemd-logind integration to the xserver, this is expected to land for 1.16, which is expected to be the xserver with which Fedora 21 will ship. In order for the xserver to be able to run as a systemd-logind session controller it will need to be started inside a (pam) user-session, this will require changes to apps starting the xserver, specifically to display-managers such as gdm.

Benefit to Fedora

Having the xserver not run as root reduces Fedora's attack surface.

Scope

In order for the xserver to be able to run as a systemd-logind session controller it will need to be started inside a (pam) user-session, this will require changes to apps starting the xserver, specifically to display-managers such as gdm. This is already being coordinated with gdm and other display-managers. For Fedora 21 there likely will be a fallback mode where the xserver will do the device-management itself when not started from a display-manager which starts it inside a user-session.

  • Proposal owners:

Make the xserver run properly as non-root, or drop root rights early on

  • Other developers:

Display manager developers may need to make changes to how the xserver is started, so that it always is started inside a user session. Note this change is also necessary for display managers which want to support wayland, as wayland must always be started like this.

  • Release engineering: N/A
  • Policies and guidelines: N/A

Upgrade/compatibility impact

This should not need any special handling in the upgrade path.

How To Test

1) Install Fedora 21, boot it to the graphical login screen and log in. 2) do "ps aux" notice Xorg is not running as root 3) Use the graphical environment normally, including fast user switching, etc. Everything should work as before.

User Experience

The user experience will be unchanged

Dependencies

This requires display managers, Initial Setup and Anaconda to be modified to properly start Xorg in a user session.

Status:

  1. Xorg server and driver changes, server code mostly upstream, drivers wip: 90%
  2. display managers, per product / spin:
    1. Desktop product: gdm, Ray Strode is working on this: ?% bug
    2. KDE spin: ssdm, Martin Bříza is working on this: ?% bug
    3. XFCE spin: ?, contacted Christoph Wickert about this: %? lightdm bug
    4. LXDE spin: ?, contacted Christoph Wickert about this: %? lightdm bug
    5. Mate spin: ?, contacted Dan Mashal about this: %? lightdm bug
  3. anaconda and initial-setup, contacted the anaconda-team about this

Contingency Plan

  • Contingency mechanism:
  1. If the necessary Xorg or anaconda + initial setup changes are not ready in time we will keep running Xorg as root
  2. Xorg upstream will come with a suid-root helper to keep things working with non kms drivers, its detection if root is needed can be overwritten by a config-file, if not all dms are ready, we can flip the helpers default to keep the xserver running as root by default, and spins which are ready can override this from the config file so that they do get the benefits (or we could put the burden on the not ready spins to drop a config file forcing running as root).
  • Contingency deadline: Beta freeze
  • Blocks release? No

Documentation

TODO

Release Notes

TODO