Mailinglist Archive: opensuse-gnome (23 mails)

< Previous Next >
Re: [opensuse-gnome] Running Xorg non-root
Egbert,

On Tue, 2016-01-12 at 13:56 +0100, Egbert Eich wrote:
Hi Guys,

The Gnome team and the team dealing with the hardware pieces of the 
graphics stack should have a conversation about running X 'non-root'.

On openSUSE Tumbleweed gdm is the first DM to run the Xserver without
root permissions. An Xserver run as non-root will attempt to acquire
permissions for devices from system-logind.

Thanks for bringing this forward here.


Output:
=======
Currently, on Tumbleweed, when using 'gdm' as login manager,
Xwayland 
will be started on top of a Wayland Display Server if possible.
If the Wayland display server cannot be started, ie. when no
suitable 
driver is around - for instance, when the boot option 'nomodeset' is
used, gdm will attempt to start Xorg as user 'gdm'.
Once the login succeeds, gdm will start a regular Xserver as the
logged
in user.

That is true up to version 3.18 of GNOME unless the user explicitly
selects to run the user session on Wayland too (wich is possible)

with GNOME 3.20, the 'default' is actually being switched to also have
the user session as a wayland based session with XWayland on top of
that.

GNOME on X.org will remain an option (to be selected in the login
session chooser) - We are not yet fully decided if we're not switching
this back to be GNOME on X as default though (there are some unresolved
issues like starting of any root GUI app not being possible so far, e.g
YaST - which is a blocker)

At SUSE we still support UMS drivers - including fbdev. In fact,
fbdev
is part of the fallback strategy we employ: since fbdev uses a VESA
mode
(which today is set by grub2), this mode will always be available.

The UMS driver will fail immediately once the Xserver attempts to
load
them without root permissions. 
For the 'fbdev' it depends: this driver only requires access to
/dev/fb<N> 
which allows group access of the 'video' group. Thus the user 'gdm'
is 
able to start it, any other user will fail. 
This can be fixed by either setting the appropirate file ACLs or
using 
systemd-logind granted access.
Setting ACLs for devices is done for DRI devices in /dev/dri/ - it
used
to be handled by ConsoleKit but is done by uaccess for systemd,
today.



The bigger challange will be UMS devices. For these the only option I
see would be to start them as root or to use a wrapper script to do
this
(this seems to be the present solution at Debian).\
The question which remains is, how does GDM know that a wrapper
script
is required? It would be easy to test for the presence of KMS,
however,
this will often include cases where fbdev can be used. I'm open to 
suggestions here ;) - after all, this decision needs to be made in
GDM.

This sounds all very much like the suid wrapper Hans de Goede submitted
into the X source tree almost a year ago:
- X is being started as user if it can and as root if it cannot.
- As it's a wrapper, and not just integrated into X, it can be split of
into a separate package (as is done by Debian and Fedora)
- Legacy drivers can require the suid wrapper (as is done in above
mentioned distributions)

Any special treating of GDM is wrong imho: it's just the first DF that
knows how to handle Wayland - and it won't stay the only.

gdm doesn't have to know that the wrapper is required: it uses the
wrapper when it's on the system - the wrapper decides if it wants to
spawn X as root or if it's safe to drop the privileges and run X as
user (the first case is basically the same we have in all other DMs: X
is run as root - with full root privileges; no dropping of privileges
happens)

Dominique
--
To unsubscribe, e-mail: opensuse-gnome+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-gnome+owner@xxxxxxxxxxxx

< Previous Next >
References