Slashdot Mirror

← Back to Stories (view on slashdot.org)

Moblin Will Run X Server As Logged-In User, Not Root

Posted by timothy on from the such-a-little-thing-makes-such-a-big-difference dept.

nerdyH writes "An architect of the Moblin Project has announced that Moblin 2.0 for netbooks and nettops is the first Linux distribution to run the X server as the logged-in user, rather than SUID'd to root. The fix to this decades-old security liability comes thanks to 'NRX' (No-root X) technology reportedly developed by Intel, Red Hat, and others in the X community, and the Moblin-sponsored 'Secure X' project. Besides making Linux netbooks a lot more snoop-proof, it seems like this could lead to an X-hosting renaissance of sorts, since you wouldn't be risking the whole system just to open up a specific user's account to remote X servers."

27 of 205 comments (clear)

  1. Confused article. by Timothy+Brownawell · · Score: 5, Insightful

    Linux's SUID X server problem has been kind of a "dirty little secret" for many years. Most modern distributions include a few crude workarounds, such as dimming the display and then freezing X whenever the user is asked to type in a root password. Getting rid of the SUID bit altogether ought to make netbooks powered by Moblin technology much more difficult to snoop on over the network.

    This does not make sense. Graphical sudo wrappers have nothing to do with X being suid, and neither does anything to do with network traffic.

    It seems likely that with NRX technology, you could run X apps over a network with much less risk to the app server (the system that runs the "X client" component, in the backwards terminology of X).

    This is actually backwards, the only place there's less risk is for the system that the X server is running on.

  2. X Hosting? by Microlith · · Score: 4, Informative

    I'm not sure I grasp the concept of X Hosting, and how this non-SUID server would help that.

    X is not required to be running on the remote system for X11 forwarding over SSH. Even running an Xvnc server doesn't require it to be SUID. This seems to be entirely a local security gain for users who will be interacting with local graphics hardware.

    1. Re:X Hosting? by timeOday · · Score: 3, Insightful

      Besides, X, although designed explicitly from the beginning to host remote applications, sucks at it. It is unusable on a link with any significant latency, and cannot migrate a client to a new server. VNC and Remote Desktop, though seemingly less elegant solutions, work much better, mainly because they are synchronized more loosely.

  3. Re:One of the shortcommings in security by Freetardo+Jones · · Score: 5, Informative

    I don't know how they've done it, but I know this is a good thing.

    They've done it by removing the responsibility of X talking directly to the graphics hardware by implementing Kernel Mode Switching for graphics drivers (among other much needed overhauls to the Linux graphics stack). Thus X can now access what it needs at the logged-in users' level and doesn't need root.

  4. Poor understanding of X by Anonymous Coward · · Score: 5, Informative

    The article repeats the common misunderstanding: "in the backwards terminology of X"

    What exactly is backwards about this? X is the server, and the apps are clients.

    Think about it: The client initiates the conversation with the server. The client tells the server what to do.

    How is this backwards?

    1. Re:Poor understanding of X by Nutria · · Score: 4, Informative

      How is this backwards?

      It's only backwards in human thought, because people have the ingrained presupposition that the server is the Big Machine In Another Room, and the client is the Little Machine On Your Desk.

      --
      "I don't know, therefore Aliens" Wafflebox1
  5. Re:One of the shortcommings in security by Timothy+Brownawell · · Score: 4, Informative

    Just got fixed by this. To be honest, I don't know how they've done it, but I know this is a good thing. This will make X and linux more secure and I can only applaud that.

    I think what is basically boils down to, is that instead of X talking to the hardware directly it now talks to a file under /dev/ just like everything else.

  6. Re:frost nixon by msuarezalvarez · · Score: 4, Insightful

    It doesn't?

  7. Stupid by jmorris42 · · Score: 3, Informative

    > it seems like this could lead to an X-hosting renaissance of sorts,
    > since you wouldn't be risking the whole system just to open up a
    > specific user's account to remote X servers.

    What a clueless statement. Somebody doesn't understand how X works. The server part that runs SUID root has never ran on the app server.

    What this does do is stop a random remote app getting to root on your workstation but any local exploit of the X server gets them your user account and that can cause a lot of mischief and only needs a different local root exploit to get the rest of the way to 0wn1ng your local desktop machine.

    --
    Democrat delenda est
  8. Remote X servers? by TerranFury · · Score: 3, Informative

    I am a bit confused by the submitter's comment about remote X servers. I understand the appeal of remote X clients: I can, e.g., log into a big fast machine and run MATLAB (the X client) there while interacting with the window on my less-powerful laptop (which runs the X server). But what's the point of a remote X server? Why would anyone want to run an X server (software sense of 'server') on a server (hardware sense of 'server')?

    1. Re:Remote X servers? by Freetardo+Jones · · Score: 3, Informative

      It's not just the submitter. Apparently the writer of the blog post themselves don't even understand X all that well.

    2. Re:Remote X servers? by TerranFury · · Score: 3, Informative

      The "X server" runs on the machine with the keyboard, mouse, and display. An "X client" is a program (e.g., xterm) that connects to an "X server" to which it sends drawing commands and from which it receives mouse and keyboard events. In the "writing network software sense," these names make sense, because it is the "X server" that sits and listens on a port, and the "X clients" that connect to it. What makes this confusing is that in practice an "X server" will usually run on a user's machine (which you would normally call a 'client') and an "X client" will run on a big machine elsewhere (which you would normally call a 'server'). The problem comes from using the words "client" and "server" to describe both programs and machines; basically, our jargon sucks.

    3. Re:Remote X servers? by TerranFury · · Score: 4, Insightful

      The problem is that we use the words "client" and "server" to refer both to the programs and to the machines they run on. Usually server machines run server programs, but not always (and consider true P2P stuff where programs are both clients and servers). Maybe we need to throw out all the words and replace them with alternatives like "listener" and "caller" for the programs and... "big machine" and "little machine" for the computers? :-)

  9. Re:IMHO by jmorris42 · · Score: 5, Informative

    > Can someone spare me reading the article and let me know if DRI is still possible without root?

    Yup, this whole thing rests on the new kernel modesetting. That was the last thing that required root to be able to directly frob bits on the video card. DRI also goes into the kernel as it should. The kernel is supposed to own all of the hardware and expose safe APIs for user apps to access it. For historical reasons video has been the exception to that rule. No longer.

    --
    Democrat delenda est
  10. Re:IMHO by Enleth · · Score: 3, Interesting

    Er, the same way USB was for years? Actually, DRI, too. The driver exposes a pseudo-device in /dev/, which actually is a socket-like, high-throughput mmap wrapper and the X server opens it. Given appropriate file permissions and group membership, this can be done from a user account.

    --
    This is Slashdot. Common sense is futile. You will be modded down.
  11. Graphics drivers by Chemisor · · Score: 5, Insightful

    If graphics drivers were implemented in the kernel instead of the X server, this problem wouldn't have existed in the first place.

    1. Re:Graphics drivers by Wesley+Felter · · Score: 3, Interesting

      Yes, it's interesting that KGI was rejected 10 years ago, but now we have KMS. What has changed?

    2. Re:Graphics drivers by Anonymous Coward · · Score: 3, Funny

      Linus isn't perfect

      I met Linus in person a while back and asked him about this. He disagrees with you.

      Since he's perfect, I kinda have to go with him on this one.

    3. Re:Graphics drivers by TheRaven64 · · Score: 4, Insightful

      KGI was a massively-complicated API which failed to actually expose the useful features of the hardware, while KMS allows the same userspace device drivers (with a small amount of kernel-mode validation, for example of DMA requests) that X11 already uses but removes the need for X11 to be run as root and makes virtual terminals and power saving play nicely with X11.

      --
      I am TheRaven on Soylent News
  12. Re:Correct me if im wrong by metamatic · · Score: 4, Informative

    The X server is the program on the local machine that displays the pixels.

    The program you run on some other system via the net is the client, even if the thing it's running on is called a server.

    The X server traditionally runs as root. You are likely unaware of this because it's started automatically as part of the init process.

    The X server running as root is independent of whether the X client is running as root.

    --
    GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
  13. Re:Two questions: by Wesley+Felter · · Score: 3, Insightful

    1. Does this mean you can't login at a graphical interface? I.e. will you have to login at a terminal and then wait for X server to come up?

    No. There should be a login X server (running as root or nobody or whatever) to display GDM, then during login this server will exit and launch a new server under your uid. Or something like that.

    2. If multiple users login, will each user get their own instance of X server? This seems like overkill...

    I think fast user switching already works that way. We don't consider it overkill that each user gets their own instance of Firefox; why is X any different?

  14. Is this right ? by bytesex · · Score: 4, Interesting

    I am not sure that this is the right solution. Not running it as root is good, but running it as me - I don't know. I'd rather that the user that runneth the X server is some sort of 'xserver' user - to whose process I connect. That 'xserver' user then has the right to push my screen into VGA mode and all that. Also, this doesn't fix all those other services (that gnome has, for example) that allow my X programs to mount stuff etc. Which is, again, a security risk by itself.

    --
    Religion is what happens when nature strikes and groupthink goes wrong.
  15. Have you used Moblin? by SlickSlacker · · Score: 5, Informative

    I just loaded it on my Eee PC and it turns the machine into a kiosk. Very unappealing for anyone who actually wants to use their netbook. Its very flashy and friendly if all you do is check your email and browse the web though.

    --
    Mr. Green
    1. Re:Have you used Moblin? by Freetardo+Jones · · Score: 4, Insightful

      Its very flashy and friendly if all you do is check your email and browse the web though.

      Almost like that was the entire point of the distro in the first place!

  16. Re:IMHO by jmorris42 · · Score: 4, Informative

    > Sounds like Windows NT 3.5, wonder if it will get moved back into kernel
    > space for performance reasons just like NT4 moved video back into kernel space.

    Not the same thing. The video hardware belongs in the kernel in exactly the same way as sound, mass storage and the keyboard/mouse do. *NIX and Windows are now alike in that and it is good.

    What Windows did was bring most of the next layer up the chain into kernel space. This would be more like putting the whole X server and bits of GTK and/or Qt into the kernel, not just running it as root. Yes it improved performance some, but the security implications are horrific.

    --
    Democrat delenda est
  17. Re:One of the shortcommings in security by TheRaven64 · · Score: 3, Interesting

    Not exactly. There is an average of one bug per 1,000 lines of new code. X.org has been in constant development since 1984. A lot of those 2,000 will have already been fixed. Note that X.org is part of the OpenBSD base system and so undergoes the same kind of rigourous code review. X.org, XFree86, and then X.org is probably the most reviewed and tested piece of software in widespread use.

    --
    I am TheRaven on Soylent News
  18. Re:frost nixon by Zero__Kelvin · · Score: 4, Insightful

    No, it doesn't. It runs most everything as the "Administrator" user, which is a lot like a root account, but without even the level of security that logging into Linux/Unix as root provides ;-)

    --
    Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun