Running X as root

PlatinumTrinity · Tux's lil' helper Joined: 10 Mar 2020 Posts: 100

If you follow the handbook like I did you end up with a system that runs X as root. I know this is a security risk and not the suggested way to run X anymore. I am curious how one goes about running X as a regular user while still being able to use DEs like KDE. I'm probably going to re-install Gentoo this week and this time I plan on focusing on security as I'm doing it instead of just getting a working system.

How bad is it to run X as root if I've been proactive about security in other places? I'm using a single user system. I can't run Wayland because of my hardware.

DaggyStyle · Watchman Joined: 22 Mar 2006 Posts: 5929

PlatinumTrinity · Tux's lil' helper Joined: 10 Mar 2020 Posts: 100

DaggyStyle · Watchman Joined: 22 Mar 2006 Posts: 5929

PlatinumTrinity · Tux's lil' helper Joined: 10 Mar 2020 Posts: 100

asturm · Developer Joined: 05 Apr 2007 Posts: 9297

DaggyStyle · Watchman Joined: 22 Mar 2006 Posts: 5929

hedmo · Veteran Joined: 29 Aug 2009 Posts: 1331 Location: sweden

GDH-gentoo · Posted: Sat Jan 02, 2021 2:42 pm Post subject:

The funny thing is, if you use a display manager, Xorg will run as root even if x11-base/xorg-server was installed with USE=-suid, because most display managers run as root themselves, and spawn the X server without dropping privileges.

So most of the time, Xorg will run with an unprivileged effective user only if it was launched with startx.

Hu · Administrator Joined: 06 Mar 2007 Posts: 22720

There is an ambiguity here around the phrase "runs X as root". Historically, the Xorg binary was setuid root and would have an effective uid of root regardless of who started it. At that time, the guidance to "not run X as root" was that you should log in as a non-root user, such as the larry user that hedmo referenced, and run your desktop that way. This would give the Xorg process root, but all your regular applications would run as larry. Recently, the standard was changed such that Xorg would not be setuid root, and "not run X as root" now means both that your applications should be larry and that your Xorg server should be larry.

DaggyStyle: yes, USE=-suid produces a non-setuid Xorg, which relies on elogind (recommended by the responsible Gentoo maintainers) or on the user managing group memberships (deprecated by the responsible Gentoo maintainers) to provide the server with sufficient privilege to operate properly.

[Edit to add italicized text for clarity.]

Tony0945 · Posted: Sat Jan 02, 2021 6:31 pm Post subject:

Hu, recently I had to partition a drive and create a filesystem. I could have used command line tools with sudo or opened an xterm and run sudo gparted. gparted is in the menu but doesn't actually run because of lack of privilege. What I did was log into xdm as root and ran gparted straight from the menu. Then I logged out and re-logged in as tony to download a stage3 and do the rest of the install from an xterm. I did not access the internet as root and I think that's the main concern. What would you have done? Just curious.

Hu · Administrator Joined: 06 Mar 2007 Posts: 22720

I would have used the CLI, but that's because I prefer the CLI tools over gparted, rather than any specific security concern. If I needed to use gparted, I probably would've tried to run it as root from my user's X session, because that would be less disruptive to me than starting a root X session just for that process. That is again a convenience driven choice, rather than a security driven one. I recommend against having root-owned X applications open while running anything too complicated for you to trust what it will do (browsers, games, etc.), but mixing a root X application with a session that is otherwise just xterm / $EDITOR seems fine to me.

You're correct that the main concern with logging in as root is that everything runs as root, so the user must be careful to run only programs which can be trusted with full privilege. Complex programs, such as browsers, are so complicated that the current wisdom is that they need to be sandboxed to have even less privilege than your average user shell, so running them as root goes in exactly the wrong direction. Perhaps less obviously, some GUI file managers ought not be run as root, not due to their security history, but because they can make it so easy for a bad click to do serious damage. For example, a click&drag of /lib to /home could, if not promptly corrected, have confusing and debilitating consequences. While a root shell can just as easily use mv to do this, the user is less likely to accidentally type mv /lib /home than they are to click on /lib, drag, and release while over /home. I picked these directories as an example because they are adjacent in the common filesystem layout, and lib is sufficiently critical that if you were to reboot before correcting the problem, your system would probably be broken enough to require a rescue session. GUI file managers do not, as far as I know, routinely include are-you-sure prompts for a move operation that does not delete data, so it falls to the user to stay out of trouble. It's easier to stay out of trouble if breaking the system requires typing a multi-word command than if it only requires a bad click&drag.

Tony0945 · Posted: Sat Jan 02, 2021 9:23 pm Post subject:

No, I would never browse, check e-mail or game as root. I do like the graphical presentation of gparted and by selecting things with the mouse there is less chance of a disastrous typo.
I don't use caja or anything like that, just for preference. I also like gsmartcontrol. It's easier to read. But, that's why we have choices. I'd really hate to see the command line tools go away and I suspect you would like Gentoo to keep the choice of GUI tools, even though you don't use them yourself.

Oh, the one GUI that I regularly use is "Network Neighborhood" or whatever Mate calls their version. It's just too hard to scan a long list of files on another machine without using a mouse. But I do hate icons instead of text.