https://bugzilla.suse.com/show_bug.cgi?id=1175867 https://bugzilla.suse.com/show_bug.cgi?id=1175867#c1 Matthias Gerstner changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |matthias.gerstner@suse.com --- Comment #1 from Matthias Gerstner --- Thank you for opening the review bug. Can you tell us where to find the sources / the package containing Xorg.wrap? What is the current concept in openSUSE to start the X server as root? -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1175867 https://bugzilla.suse.com/show_bug.cgi?id=1175867#c2 --- Comment #2 from Stefan Dirsch --- The wrapper is part of xserver sources (xorg-x11-server). It's built via --enable-suid-wrapper configure option. Actually we already had this in place for some time, but disabled it again. (%{build_suid_wrapper} in xorg-x11-server specfile). And Egbert needed to change a lot in order to make it working, usable. ------------------------------------------------------------------- Tue Apr 12 15:33:45 UTC 2016 - eich@suse.com - Add permission verification for SUID wrapper - Disable SUID wrapper per default until reviewed ------------------------------------------------------------------- Tue Apr 12 13:59:48 UTC 2016 - eich@suse.com - n_Install-Avoid-failure-on-wrapper-installation.patch: rename to: N_Install-Avoid-failure-on-wrapper-installation.patch - u_xorg-wrapper-Drop-supplemental-group-IDs.patch: Drop supplementary group privileges. - u_xorg-wrapper-build-Build-position-independent-code.patch: Build position independent. ------------------------------------------------------------------- Tue Apr 12 09:06:06 UTC 2016 - eich@suse.com - n_Install-Avoid-failure-on-wrapper-installation.patch: Fix up build for wrapper. - Place SUID wrapper into a separate package: xorg-x11-server-wrapper ------------------------------------------------------------------- Thu Apr 7 15:53:39 UTC 2016 - eich@suse.com - Set configure option --enable-suid-wrapper for TW: This way, the SUID wrapper is built which allows to run the Xserver as root even though the the DM instance runs as user. This allows to support drivers which require direct HW access. -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1175867 https://bugzilla.suse.com/show_bug.cgi?id=1175867#c4 Stefan Dirsch changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |tzimmermann@suse.com --- Comment #4 from Stefan Dirsch --- And I still would prefer having modeset X driver running on generic KMS driver running on generic framebuffer, which has been developed by Thomas, but still has issues for X autoconfiguration. :-( Adding Thomas therefore. -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1175867 Matthias Gerstner changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |IN_PROGRESS Assignee|security-team@suse.de |matthias.gerstner@suse.com -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1175867 https://bugzilla.suse.com/show_bug.cgi?id=1175867#c6 --- Comment #6 from Stefan Dirsch --- Thanks for the code review, Matthias! Your comments make a lot of sense to me! AFAIK gdm only uses a few Xserver options and these are even hardcoded in gdm and cannot be configured easily like it's possible with xdm and maybe also other DMs. So I think we should simply asking our GNOME developers, which options they need and generate a whitelist from this information. Does this sound reasonable? Matthias, have you also checked the patches we're already applying against the wrapper in the xorg-x11-server specfile, i.e. N_Install-Avoid-failure-on-wrapper-installation.patch u_xorg-wrapper-Drop-supplemental-group-IDs.patch u_xorg-wrapper-build-Build-position-independent-code.patch -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1175867 https://bugzilla.suse.com/show_bug.cgi?id=1175867#c8 --- Comment #8 from Stefan Dirsch --- Not sure, whether we're on the same page here. Aren't we talking about a whitelist for Xserver options? There's no whitelist for anything in xdm I would be aware of. xdm still startx Xserver as root. -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1175867 https://bugzilla.suse.com/show_bug.cgi?id=1175867#c10 --- Comment #10 from xiaoguang wang --- There is no whitelist in gdm. If we want a normal user is not shown in login user list, we have a trick way to do it. -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1175867 https://bugzilla.suse.com/show_bug.cgi?id=1175867#c12 --- Comment #12 from Matthias Gerstner --- (In reply to xiaoguang.wang@suse.com from comment #10)

There is no whitelist in gdm. If we want a normal user is not shown in login user list, we have a trick way to do it.

We are not takling about whitelisting users, we are are talking about whitelisting command line arguments passed from the Xorg.wrap setuid-root program to the Xorg server. So that when a non-root user invokes Xorg.wrap, and the Xorg server needs to be run with root privileges, that only a subset of the supported command line arguments will be allowed. -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1175867 https://bugzilla.suse.com/show_bug.cgi?id=1175867#c14 --- Comment #14 from Matthias Gerstner --- (In reply to sndirsch@suse.com from comment #6)

Matthias, have you also checked the patches we're already applying against the wrapper in the xorg-x11-server specfile, i.e.

N_Install-Avoid-failure-on-wrapper-installation.patch u_xorg-wrapper-Drop-supplemental-group-IDs.patch u_xorg-wrapper-build-Build-position-independent-code.patch

The patches are okay. The N_Install-Avoid-failure-on-wrapper-installation.patch is a bit strange (why should a user with UID!=0 && EUID==0 be building this package? That would be unwise. But I guess the intention is simply to avoid error output here. -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1175867 https://bugzilla.suse.com/show_bug.cgi?id=1175867#c16 xiaoguang wang changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(xiaoguang.wang@su | |se.com) | --- Comment #16 from xiaoguang wang --- The X arguments in gdm: /usr/bin/X vt2 (could be vt2-7) -displayfd x -auth xxxx -background none -noreset -keeptty -verbose 7 (could be 7 or 3) -core -listen tcp -nolisten tcp -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1175867 https://bugzilla.suse.com/show_bug.cgi?id=1175867#c18 xiaoguang wang changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(xiaoguang.wang@su | |se.com) | --- Comment #18 from xiaoguang wang --- (In reply to Stefan Dirsch from comment #17)

...

-listen tcp -nolisten tcp

Both? Please explain. "-nolisten tcp" is the default since xorg-server 1.17. So when are you using "-listen tcp"? Hope it's not the default. Otherwise I would expect a security ticket to be opened immediately against gdm. ;-)

The default is no "-nolisten" and no "-listen". When defined "HAVE_XSERVER_THAT_DEFAULTS_TO_LOCAL_ONLY"(sorry I'm not clear what is used for), and allowing remote connection, add "-listen tcp". or not allowing remote connection, add "-nolisten tcp". -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1175867 https://bugzilla.suse.com/show_bug.cgi?id=1175867#c20 --- Comment #20 from Stefan Dirsch --- s/undesrtood/understood -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1175867 https://bugzilla.suse.com/show_bug.cgi?id=1175867#c22 --- Comment #22 from Stefan Dirsch --- Thanks a lot for detailed explanation. In short, we wold need "-listen" in Xserver option whitelist for gdm. And this is *not* the default. I wanted to make this sure. -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1175867 https://bugzilla.suse.com/show_bug.cgi?id=1175867#c24 --- Comment #24 from Stefan Dirsch --- If this is the right approach I can try to add this option filter to ./hw/xfree86/xorg-wrapper.c. -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1175867 https://bugzilla.suse.com/show_bug.cgi?id=1175867#c26 --- Comment #26 from Stefan Dirsch --- Created attachment 841732 --> https://bugzilla.suse.com/attachment.cgi?id=841732&action=edit OptionFilter.c This one can execute itself. Unfortunately when trying to integrate the code into xorg wrapper I'm running into buffer overflows ... -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1175867 Stefan Dirsch changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #841705|0 |1 is obsolete| | -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1175867 Stefan Dirsch changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #841726|0 |1 is obsolete| | -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1175867 https://bugzilla.suse.com/show_bug.cgi?id=1175867#c28 --- Comment #28 from Stefan Dirsch --- Created attachment 841748 --> https://bugzilla.suse.com/attachment.cgi?id=841748&action=edit u_xorg-wrapper-Xserver-Options-Whitelist-Filter.patch This patch can be reviewed. -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1175867 https://bugzilla.suse.com/show_bug.cgi?id=1175867#c30 --- Comment #30 from Stefan Dirsch --- (In reply to Stefan Dirsch from comment #29)

Unfortunately running Xorg via Xwrapper does not really work for me as normal user.

# Xorg.wrap -displayfd 2 Xorg.wrap: /usr/bin/Xorg -displayfd 2 [...] (EE) parse_vt_settings: Cannot open /dev/tty0 (Permission denied)

Without Egbert's patch u_xorg-wrapper-Drop-supplemental-group-IDs.patch this changes to Fatal server error: (EE) parse_vt_settings: Cannot open /dev/tty0 (Permission denied) Xwrapper completely unpatched gives the same result. Seems this Wrapper simply doesn't work and probably never did. No idea what other distributors, which are claimed to be using it, are doing. Maybe they are heavily patching it, Who knows ... I need more than "Debian and Fedora are using it since years sucessfully"! -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1175867 https://bugzilla.suse.com/show_bug.cgi?id=1175867#c36 Stefan Dirsch changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(xiaoguang.wang@su | |se.com) --- Comment #36 from Stefan Dirsch --- (In reply to Matthias Gerstner from comment #33)

(In reply to sndirsch@suse.com from comment #31)

...

Ouch. I understood this wrong. It needs to be

needs_root_rights=yes

in /etc/X11/Xwrapper.config. Then it works also as regular user.

This means that the auto detection is overridden and the Xserver is always started as root. No surprise this works ;-). But then we also wouldn't need the wrapper in the first place.

Well, I was testing with needs_root_rights=no. ;-) But indeed you're right. The same happens with "auto", so autodetection apparently does not check for access to /dev/ttyX. :-( But who knows. Maybe gdm gets access via ACLs to /dev/ttyX via systemd when gdm gets started. @xiaoguang Could you please test this with the current packages from https://build.opensuse.org/package/show/home:sndirsch:branches:X11:XOrg/xorg... Plesae play around with "auto" and "yes" for needs_root_rights in /etc/X11/Xwrapper.config when using gdm. gdm needs to use Xorw.wrap instead of Xorg now. Xorg.sh may also work. Of course Xorg.wrap should be started as user gdm for testing, not any longer as user root. Let's do some testing as long as Matthias is on vacation. ;-) -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1175867 https://bugzilla.suse.com/show_bug.cgi?id=1175867#c38 --- Comment #38 from xiaoguang wang --- (In reply to Stefan Dirsch from comment #36)

Plesae play around with "auto" and "yes" for needs_root_rights in /etc/X11/Xwrapper.config when using gdm. gdm needs to use Xorw.wrap instead of Xorg now. Xorg.sh may also work. Of course Xorg.wrap should be started as user gdm for testing, not any longer as user root. For my understanding, that means I need to add patch on gdm to change X command from '/usr/bin/X' to '/usr/bin/Xorg.wrap', is that right?

On other distros(Fedaro, Ubuntu), the `/usr/bin/Xorg' was replaced by Xorg.sh, they needn't to change X server command on gdm. I will link `/usr/bin/X` to `/usr/bin/Xorg.sh` to do the test. -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1175867 https://bugzilla.suse.com/show_bug.cgi?id=1175867#c40 Stefan Dirsch changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(xiaoguang.wang@su | |se.com) --- Comment #40 from Stefan Dirsch --- Looks. good. I'm wondering which driver you were using. I'm using qemu with "-vga qxl" and qxl X driver and needs_root_rights=auto doesn't work for me (same issue with modeset X driver). I need to set needs_root_rights=yes. Otherwise I'm getting (EE) parse_vt_settings: Cannot open /dev/tty0 (Permission denied) -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1175867 https://bugzilla.suse.com/show_bug.cgi?id=1175867#c42 --- Comment #42 from Stefan Dirsch --- Same issue with virtio. Maybe gdm gets access to /dev/tty0 somehow. You could figure out with getfacl /dev/tty0 -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1175867 https://bugzilla.suse.com/show_bug.cgi?id=1175867#c44 --- Comment #44 from Stefan Dirsch --- Then I don't know. Maybe the wrapper is still being started as root and not by gdm itself ... -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1175867 https://bugzilla.suse.com/show_bug.cgi?id=1175867#c46 xiaoguang wang changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(xiaoguang.wang@su | |se.com) | --- Comment #46 from xiaoguang wang --- (In reply to Stefan Dirsch from comment #45)

(In reply to Stefan Dirsch from comment #44)

...

Then I don't know. Maybe the wrapper is still being started as root and not by gdm itself ...

Could you please verify that?

1. needs_root_rights=auto without nomodeset

root 1006 0.0 0.4 236156 8604 ? Sl Sep23 0:00 /usr/sbin/gdm root 1483 0.0 0.5 167940 11896 ? Sl Sep23 0:00 \_ gdm-session-worker [pam/gdm-password] suse 1511 0.0 0.2 158200 5472 tty2 Ssl+ Sep23 0:00 \_ /usr/libexec/gdm/gdm-x-session --run-script /usr/bin/gnome-session suse 1513 0.0 3.8 238768 77112 tty2 Sl+ Sep23 0:05 \_ /usr/bin/Xorg vt2 -displayfd 3 -auth /run/user/1000/gdm/Xauthority -background none -norese suse 1518 0.0 0.7 258272 15244 tty2 Sl+ Sep23 0:00 \_ /usr/libexec/gnome-session-binary

2. needs_root_rights=auto with nomodeset

root 1031 0.0 0.4 236156 8612 ? Sl 08:01 0:00 /usr/sbin/gdm root 1521 0.0 0.6 167940 12188 ? Sl 08:02 0:00 \_ gdm-session-worker [pam/gdm-password] suse 1548 0.0 0.2 158200 5468 tty2 Ssl+ 08:02 0:00 \_ /usr/libexec/gdm/gdm-x-session --run-script /usr/bin/gnome-session root 1550 1.5 2.8 222652 58196 tty2 Sl+ 08:02 0:01 \_ /usr/bin/Xorg vt2 -displayfd 3 -auth /run/user/1000/gdm/Xauthority -background none -nore suse 1555 0.0 0.7 258272 15268 tty2 Sl+ 08:02 0:00 \_ /usr/libexec/gnome-session-binary

-- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1175867 https://bugzilla.suse.com/show_bug.cgi?id=1175867#c48 --- Comment #48 from Stefan Dirsch --- I made things easier for everyone now. ------------------------------------------------------------------- Thu Sep 24 01:40:17 UTC 2020 - Stefan Dirsch - n_xorg-wrapper-rename-Xorg.patch * moved Xorg to Xorg.bin and Xorg.sh to Xorg (boo#1175867) - change default for needs_root_rights to auto in Xwrapper.config (boo#1175867) So just use X or Xorg to start Xserver/Xwrapper now. --> https://build.opensuse.org/package/show/home:sndirsch:branches:X11:XOrg/xorg... -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1175867 https://bugzilla.suse.com/show_bug.cgi?id=1175867#c50 --- Comment #50 from Stefan Dirsch --- About needs_root_rights. You're right. Thanks for explanation. I'll add a patch. Thanks for reviewing the patch! I somewhat expected you can/need to do something in permission files to fix this build warning. ;-) -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1175867 https://bugzilla.suse.com/show_bug.cgi?id=1175867#c52 --- Comment #52 from Matthias Gerstner --- I took the liberty to rewrite your patch in attachment 841748 and you can find the result in attachment 842064: - simplified the option parsing code a bit - changed the "ignore forbidden argument" logic into an "abort on forbidden argument" logic. This is safer and avoids surprises on the user's end that could occur if the desired command line arguments aren't effective but the Xorg server is still started. - tried to adjust to the coding style present in the file (mostly the function name) - added some logic to apply the option filtering only to non-root users when Xorg is actually started as root. This should allow for full flexibility if root calls the wrapper or if the Xorg server only runs with user privileges. -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1175867 https://bugzilla.suse.com/show_bug.cgi?id=1175867#c54 Stefan Dirsch changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(xiaoguang.wang@su | |se.com) --- Comment #54 from Stefan Dirsch --- No idea how it came to my comment #53. Apparently I pressed some wrong button when trying to mark the patch as "patch". Anyway, I had a look at the patch and it makes perfectly sense to me. Thanks a lot for working on this! I've already applied it and it does 100% what it claims. :-) Packages for testing will be available shortly via https://build.opensuse.org/package/show/home:sndirsch:branches:X11:XOrg/xorg... @xiaoguang Please give them a try as in comment #39, so this ticket can be closed finally. Also consider my comment #48. Thanks! -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1175867 https://bugzilla.suse.com/show_bug.cgi?id=1175867#c56 --- Comment #56 from Stefan Dirsch --- Great news. So I took the liberty and submitrequested what we have right now to factory/TW. https://build.opensuse.org/request/show/838622 Matthias, could you please whitelist /usr/bin/Xorg.wrap via the permissions package, so this may be accepted in the end? -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1175867 https://bugzilla.suse.com/show_bug.cgi?id=1175867#c58 --- Comment #58 from OBSbugzilla Bot --- This is an autogenerated message for OBS integration: This bug (1175867) was mentioned in https://build.opensuse.org/request/show/838733 Factory / permissions -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1175867 https://bugzilla.suse.com/show_bug.cgi?id=1175867#c60 Stefan Dirsch changed: What |Removed |Added ---------------------------------------------------------------------------- Status|IN_PROGRESS |RESOLVED Resolution|--- |FIXED --- Comment #60 from Stefan Dirsch --- So let's close it. -- You are receiving this mail because: You are on the CC list for the bug.