Moblin Will Run X Server As Logged-In User, Not Root

nerdyH writes "An architect of the Moblin Project has announced that Moblin 2.0 for netbooks and nettops is the first Linux distribution to run the X server as the logged-in user, rather than SUID'd to root. The fix to this decades-old security liability comes thanks to 'NRX' (No-root X) technology reportedly developed by Intel, Red Hat, and others in the X community, and the Moblin-sponsored 'Secure X' project. Besides making Linux netbooks a lot more snoop-proof, it seems like this could lead to an X-hosting renaissance of sorts, since you wouldn't be risking the whole system just to open up a specific user's account to remote X servers."

Confused article.

[Timothy+Brownawell]

Linux's SUID X server problem has been kind of a "dirty little secret" for many years. Most modern distributions include a few crude workarounds, such as dimming the display and then freezing X whenever the user is asked to type in a root password. Getting rid of the SUID bit altogether ought to make netbooks powered by Moblin technology much more difficult to snoop on over the network.

This does not make sense. Graphical sudo wrappers have nothing to do with X being suid, and neither does anything to do with network traffic.

It seems likely that with NRX technology, you could run X apps over a network with much less risk to the app server (the system that runs the "X client" component, in the backwards terminology of X).

This is actually backwards, the only place there's less risk is for the system that the X server is running on.

X Hosting?

[Microlith]

I'm not sure I grasp the concept of X Hosting, and how this non-SUID server would help that.

X is not required to be running on the remote system for X11 forwarding over SSH. Even running an Xvnc server doesn't require it to be SUID. This seems to be entirely a local security gain for users who will be interacting with local graphics hardware.

Re:X Hosting?

[John+Hasler]

> I'm not sure I grasp the concept of X Hosting, and how this non-SUID server would help
> that.

It wouldn't. The author of the article hasn't the foggiest notion of how X works (well, he does have a foggy notion, but it's wrong). The machine(s) running the client(s) run only the client code and run it as the user.

Re:X Hosting?

[timeOday]

Besides, X, although designed explicitly from the beginning to host remote applications, sucks at it. It is unusable on a link with any significant latency, and cannot migrate a client to a new server. VNC and Remote Desktop, though seemingly less elegant solutions, work much better, mainly because they are synchronized more loosely.

Re:X Hosting?

[Eravnrekaree]

Ive used X over network connections and I know this to be incorrect, at least over a ethernet. THere are also solutions avialable for the problems you mention, or which can be addressed. There are various products that will compress the X data stream so that it uses less bandwidth and can perform quite acceptably. Such as NX. There was for a while a provide called xmove which was an X proxy to which your X clients would connect, you can send xmove command to redirect the display of the X client between different X servers, allowing your X programs to be moved between X servers. The code is out of date but it would be a useful thing to have that sort of capability and would strengthen X as a remote desktop solution. X is actually a very successful and well performing system and is a very well designed graphics system that actually exceeds windows in capability.

Correct me if im wrong

But running apps remotely and having them display on a local X server _NEVER_ required root access of any kind on the remote server....

Re:Correct me if im wrong

[metamatic]

The X server is the program on the local machine that displays the pixels.

The program you run on some other system via the net is the client, even if the thing it's running on is called a server.

The X server traditionally runs as root. You are likely unaware of this because it's started automatically as part of the init process.

The X server running as root is independent of whether the X client is running as root.

Re:One of the shortcommings in security

[Freetardo+Jones]

I don't know how they've done it, but I know this is a good thing.

They've done it by removing the responsibility of X talking directly to the graphics hardware by implementing Kernel Mode Switching for graphics drivers (among other much needed overhauls to the Linux graphics stack). Thus X can now access what it needs at the logged-in users' level and doesn't need root.

Poor understanding of X

The article repeats the common misunderstanding: "in the backwards terminology of X"

What exactly is backwards about this? X is the server, and the apps are clients.

Think about it: The client initiates the conversation with the server. The client tells the server what to do.

How is this backwards?

Re:Poor understanding of X

[Nutria]

How is this backwards?

It's only backwards in human thought, because people have the ingrained presupposition that the server is the Big Machine In Another Room, and the client is the Little Machine On Your Desk.

Re:One of the shortcommings in security

[Timothy+Brownawell]

Just got fixed by this. To be honest, I don't know how they've done it, but I know this is a good thing. This will make X and linux more secure and I can only applaud that.

I think what is basically boils down to, is that instead of X talking to the hardware directly it now talks to a file under /dev/ just like everything else.

Re:frost nixon

[msuarezalvarez]

It doesn't?

Stupid

[jmorris42]

> it seems like this could lead to an X-hosting renaissance of sorts,
> since you wouldn't be risking the whole system just to open up a
> specific user's account to remote X servers.

What a clueless statement. Somebody doesn't understand how X works. The server part that runs SUID root has never ran on the app server.

What this does do is stop a random remote app getting to root on your workstation but any local exploit of the X server gets them your user account and that can cause a lot of mischief and only needs a different local root exploit to get the rest of the way to 0wn1ng your local desktop machine.

Re:Stupid

[jmorris42]

> Yeah, the submitter is clearly clueless as is timothy since he couldn't notice such a glaring error.

Well the Slashdot editors went to the Grey Side (Mac) a decade ago so what the hell would they know about X. The /. servers are still *NIX so they know and care about that side a bit.

> Which basically makes it harder for someone to get root access since they have to find another exploit to gain it.

Sure, this move is a win for security because X was big complicated and running as root, but not cause for great rejoicing as at any point in time there is usually an unpatched local root exploit or two out in the underworld. We really need to worry more about security before we start hitting the lamestream media every few weeks..

Remote X servers?

[TerranFury]

I am a bit confused by the submitter's comment about remote X servers. I understand the appeal of remote X clients: I can, e.g., log into a big fast machine and run MATLAB (the X client) there while interacting with the window on my less-powerful laptop (which runs the X server). But what's the point of a remote X server? Why would anyone want to run an X server (software sense of 'server') on a server (hardware sense of 'server')?

Re:Remote X servers?

[Freetardo+Jones]

It's not just the submitter. Apparently the writer of the blog post themselves don't even understand X all that well.

Re:Remote X servers?

[TerranFury]

The "X server" runs on the machine with the keyboard, mouse, and display. An "X client" is a program (e.g., xterm) that connects to an "X server" to which it sends drawing commands and from which it receives mouse and keyboard events. In the "writing network software sense," these names make sense, because it is the "X server" that sits and listens on a port, and the "X clients" that connect to it. What makes this confusing is that in practice an "X server" will usually run on a user's machine (which you would normally call a 'client') and an "X client" will run on a big machine elsewhere (which you would normally call a 'server'). The problem comes from using the words "client" and "server" to describe both programs and machines; basically, our jargon sucks.

Re:Remote X servers?

[TerranFury]

The problem is that we use the words "client" and "server" to refer both to the programs and to the machines they run on. Usually server machines run server programs, but not always (and consider true P2P stuff where programs are both clients and servers). Maybe we need to throw out all the words and replace them with alternatives like "listener" and "caller" for the programs and... "big machine" and "little machine" for the computers? :-)

Re:Remote X servers?

[not-my-real-name]

A remote X-server is what runs the video wall. I can run the client program on my workstation and have it display on the wall.

Now, I just need to install the video wall in my underground lair.

Re:IMHO

[jmorris42]

> Can someone spare me reading the article and let me know if DRI is still possible without root?

Yup, this whole thing rests on the new kernel modesetting. That was the last thing that required root to be able to directly frob bits on the video card. DRI also goes into the kernel as it should. The kernel is supposed to own all of the hardware and expose safe APIs for user apps to access it. For historical reasons video has been the exception to that rule. No longer.

Re:IMHO

[Enleth]

Er, the same way USB was for years? Actually, DRI, too. The driver exposes a pseudo-device in /dev/, which actually is a socket-like, high-throughput mmap wrapper and the X server opens it. Given appropriate file permissions and group membership, this can be done from a user account.

Graphics drivers

[Chemisor]

If graphics drivers were implemented in the kernel instead of the X server, this problem wouldn't have existed in the first place.

Re:Graphics drivers

[Wesley+Felter]

Yes, it's interesting that KGI was rejected 10 years ago, but now we have KMS. What has changed?

Re:Graphics drivers

[Hatta]

If graphics drivers were implemented in the kernel instead of X, you would have to write new drivers for every kernel you want to run X on.

Re:Graphics drivers

[Wesley+Felter]

We have that situation for all other drivers and somehow we survived. Also, it's common for vendors to write a single BSD-licensed driver and then port it to multiple OSes, sharing most of the code.

Re:Graphics drivers

[Freetardo+Jones]

What has changed?

The fanatics have become more reasonable?

Re:Graphics drivers

Linus isn't perfect

I met Linus in person a while back and asked him about this. He disagrees with you.

Since he's perfect, I kinda have to go with him on this one.

Re:Graphics drivers

[TheRaven64]

KGI was a massively-complicated API which failed to actually expose the useful features of the hardware, while KMS allows the same userspace device drivers (with a small amount of kernel-mode validation, for example of DMA requests) that X11 already uses but removes the need for X11 to be run as root and makes virtual terminals and power saving play nicely with X11.

Re:Two questions:

[Wesley+Felter]

1. Does this mean you can't login at a graphical interface? I.e. will you have to login at a terminal and then wait for X server to come up?

No. There should be a login X server (running as root or nobody or whatever) to display GDM, then during login this server will exit and launch a new server under your uid. Or something like that.

2. If multiple users login, will each user get their own instance of X server? This seems like overkill...

I think fast user switching already works that way. We don't consider it overkill that each user gets their own instance of Firefox; why is X any different?

Is this right ?

[bytesex]

I am not sure that this is the right solution. Not running it as root is good, but running it as me - I don't know. I'd rather that the user that runneth the X server is some sort of 'xserver' user - to whose process I connect. That 'xserver' user then has the right to push my screen into VGA mode and all that. Also, this doesn't fix all those other services (that gnome has, for example) that allow my X programs to mount stuff etc. Which is, again, a security risk by itself.

Re:Is this right ?

[kelnos]

I am not sure that this is the right solution. Not running it as root is good, but running it as me - I don't know. I'd rather that the user that runneth the X server is some sort of 'xserver' user - to whose process I connect. That 'xserver' user then has the right to push my screen into VGA mode and all that.

As another poster mentioned, this makes multi-user X a bit more difficult. What's the issue of having your user ID doing all this? If you're allowed to log into the console, then you're presumably allowed to run X (or not; you can still lock down the machine so particular users can't run X or access the graphics hardware). If you can run X, you can talk to the graphics hardware. Note that this doesn't give you carte-blanche to fiddle with the graphics card's registers to try to make the machine crash: you only get certain actions as provided by the DRI interface.

Also, this doesn't fix all those other services (that gnome has, for example) that allow my X programs to mount stuff etc. Which is, again, a security risk by itself.

No, you just don't understand how it works. X apps do not mount things. HAL (or, soon, DeviceKit-disks) mounts things on behalf of authenticated requests from X apps (or console apps, even). HAL/DeviceKit are system daemons that have no GUI. Frameworks like PolicyKit and ConsoleKit ensure that you aren't mounting or unmounting things you shouldn't be.

Re:Is this right ?

[drinkypoo]

What's the issue of having your user ID doing all this?

A remote hole in a process run as 'nobody' allows some log files to be trashed, maybe.

A remote hole in a process run as me allows all of my data to be destroyed.

Re:Is this right ?

[Ash-Fox]

It prevents any exploits for the xserver user from being able to effect the rest of the system outside of the confines of the user and whatever it can interface with graphically. Thus preventing it from gaining control to the rest of the system easily. Plus, selinux, apparmor can likely be enhanced to enforce the rules upon the xserver in other ways when it is running as a user process.

Re:One of the shortcommings in security

[Hatta]

How big of a security problem was this? I haven't seen a linux system with open ports for X in 10 years. Anyone who wants to use remote X just uses ssh -X, it's easier to set up than xhost anyway.

Re:IMHO

[afidel]

Sounds like Windows NT 3.5, wonder if it will get moved back into kernel space for performance reasons just like NT4 moved video back into kernel space.

Re:IMHO

[sofar]

Yes, DRI access is done through /dev/dri* and works correctly.

Have you used Moblin?

[SlickSlacker]

I just loaded it on my Eee PC and it turns the machine into a kiosk. Very unappealing for anyone who actually wants to use their netbook. Its very flashy and friendly if all you do is check your email and browse the web though.

Re:Have you used Moblin?

[Freetardo+Jones]

Its very flashy and friendly if all you do is check your email and browse the web though.

Almost like that was the entire point of the distro in the first place!

Re:One of the shortcommings in security

[kelnos]

Well, if the flaw is in an X *library*, it doesn't matter, as only the clients (running as the regular user) use those. The X server doesn't need or use libX11, libXrandr, libXext, etc. at all.

But yes, true -- any exploitable flaw in the X server itself (or any of the extensions compiled into or loaded dynamically by the server) could result in root access.

Re:IMHO

[jmorris42]

> Sounds like Windows NT 3.5, wonder if it will get moved back into kernel
> space for performance reasons just like NT4 moved video back into kernel space.

Not the same thing. The video hardware belongs in the kernel in exactly the same way as sound, mass storage and the keyboard/mouse do. *NIX and Windows are now alike in that and it is good.

What Windows did was bring most of the next layer up the chain into kernel space. This would be more like putting the whole X server and bits of GTK and/or Qt into the kernel, not just running it as root. Yes it improved performance some, but the security implications are horrific.

Re:One of the shortcommings in security

[TheRaven64]

Not exactly. There is an average of one bug per 1,000 lines of new code. X.org has been in constant development since 1984. A lot of those 2,000 will have already been fixed. Note that X.org is part of the OpenBSD base system and so undergoes the same kind of rigourous code review. X.org, XFree86, and then X.org is probably the most reviewed and tested piece of software in widespread use.

Re:frost nixon

[Zero__Kelvin]

No, it doesn't. It runs most everything as the "Administrator" user, which is a lot like a root account, but without even the level of security that logging into Linux/Unix as root provides ;-)

I don't know...

[earnest+murderer]

Certainly this isn't worse than the current situation. But if my data is still at risk I have a hard time caring much about any "security" advantage.

Without my data the machine is worse than worthless.

Why not take it one step further?

[kasperd]

Since there was never any reason for the X server and the clients to need to use the same uid, why move the X server from root to the logged in user? It could as well be moved from root to a uid dedicated to the X server. Then you would get another level of separation, at essentially no price. (There is of course a caveat in case you have multiple X servers running at the same time, but that could be solved by allocating a uid per X server).

Does graphics mode switching inside the kernel mean that we can soon expect switching between VTs to work even if the X server is locked up? Or is the keyboard handling still going to prevent that? (Doing the switching from a remote login would work around the keyboard issue).

SunOS and Solaris have always operated this way.

[efalk]

I was a video driver developer for Sun for many years. The window system *always* ran as the logged-in user. When I started developing for Linux, I was appalled when I realized that Linux ran the windows server as root.

Here's how we did it at Sun: For every supported video card, there is a device driver. The driver provides basic services such as cursor and color-table management (there are advantages to doing this in the kernel), and additionally allows the user logged in at the console to map in the device registers. This means that the window system doesn't need any special privileges to run.

There are other advantages to having a device driver manage user-level hardware mapping. Not the least of which is that it allowed us to implement full-bore context switching at the device level. The advantages of this are enormous.