Bug#801401: Workarounds for rootless Xorg
Xorg without setuid is a good thing for security. But it's still
possible to manage without systemd-logind.
As outlined in http://hansdegoede.livejournal.com/14268.html, several
privileges needed by xorg are moved to be managed in logind. Those
privileges can be provided alternatively as follows:
* Access to /dev/input/event*
These are rw for input group by default. For security against
keylogger, input group permission shouldn't be given to normal users.
Therefore you can use setgid on /usr/lib/xorg/Xorg for input group.
This is only intended for single-user scenario.
* Access to /dev/dri/card*
These are rw for video group by default. Add yourself to video group.
* Privilege to drmSetMaster()
If there is only one drm device no setup is needed.
* Access to /dev/tty1 (for example)
Need chown yourself /dev/tty1; first and startx with vt01
Also see the prior disscussion https://wiki.ubuntu.com/X/Rootless
This is probably against the design goal of systemd and won't ever be
supported. But my sysvinit setup with the above workarounds (not using
xserver-xorg-legacy) is this:
/etc/inittab:
1:2345:respawn:;chown xlz /dev/tty1;chgrp input
/usr/lib/xorg/Xorg;chmod g+s /usr/lib/xorg/Xorg;exec su - xlz -c 'exec
startx'
~/.xserverrc:
#!/bin/sh
exec /usr/bin/X -nolisten tcp "$@" vt01
which works fine. If you have multiple graphics cards or graphics
driver does not support KMS then there will be more problems.
Several annoyances in ~/.local/share/xorg/Xorg.0.log
xf86EnableIOPorts: failed to set IOPL for I/O (Operation not permitted)
This is a non-fatal error because "[KMS] drivers that don't need I/O
access", and thus can be ignored.
(EE) dbus-core: error connecting to system bus:
org.freedesktop.DBus.Error.FileNotFound (Failed to connect to socket
/var/run/dbus/system_bus_socket: No such file or directory)
This spams Xorg.0.log every 10 seconds, and it is impossible to turn
off without rebuilding xorg.
Regards,
Lingzhu
Reply to: