--- Comment #4 from Ludwig Nussel email@example.com 2010-08-19 13:34:13 CEST --- (In reply to comment #1)
how many users are still using startx. I'm afraid there are more than you think.
Question is whether we need to have a default configuration for that use case. Those who still use startx are hopefully smart enough to set the setuid bit themselves anyways.
(In reply to comment #3)
Ludwig, Xorg s-bit is already disabled in permissions.secure for a long time. IMHO that is good enough for people that really care for security.
permissions 'secure' are not the default though.
There was no exploitable security hole in how many years?
So it's about time that a new one is discovered you mean? :-) Seriously, if the setuid bit isn't needed anymore by the majority of users we should simply not enable that feature in the default config anymore.
The latest security issue was in fact a kernel issue AFAIU.
Yes but the exploit does not work if X is started via DM.
Egbert's right, we have a much higher risk with the fact that the Xserver is running as root anyway, and that won't go away.
One step at a time, low hanging fruits first :-)