I've been reading Debian 9 reviews and found one at:
https://www.theregister.co.uk/2017/06/2 ... _9_review/
The part that I've found interesting to me is in the following:
I was surprised to see this considering in Debian's announcement which can be found at:While Secure Boot did not make the cut, there are many changes in this release that greatly improve the overall security of Debian. Among the most significant, X.Org no longer needs root privileges to run the display server. That eliminates an entire class of attacks that work by going after privilege escalation via X.Org. However, to run X.Org as non-root you'll need to install logind and libpam-systemd and use GDM 3 for your login tool since only GDM 3 supports running it without root privileges.
https://lists.debian.org/debian-announc ... 00003.html
and you'll find the following:
I would believe the Debian release team on what they say in their announcements over what I read in some other website's article/review.Administrators and those in security-sensitive environments can be
comforted in the knowledge that the X display system no longer requires
"root" privileges to run.
I decided to check things out myself and I'm running Debian 9 with the Mate desktop from a fresh install. I ran the following command:
Code: Select all
ps aux | grep X
Code: Select all
root 571 0.8 5.6 531948 116616 tty7 Ssl+ 07:22 2:38 /usr/lib/xorg/Xorg :0 -seat seat0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch
Looking through Synpatic - I don't see logind.. but do see login version 1:4.4-4.1 - is that it? I do have libpam-systemd installed.
GDM3 isn't installed.. I've installed that package.. but that looks like it installs the GNOME desktop - has a lot of dependencies...
Chose GDM to be the default.. and rebooted my computer - due to the system being in a Virtualbox machine along with Virtualbox's guest additions being installed - I found that I couldn't boot Debian. I couldn't find any info to uninstall Virtualbox's stuff out of Debian so I've reinstalled Debian with GNOME.
Running Debian with GNOME, I reran the ps aux command as mentioned above and got the following result:
Code: Select all
root 805 0.0 1.9 338572 40572 tty1 Sl+ 14:17 0:00 /usr/lib/xorg/Xorg vt1 -displayfd 3 -auth /run/user/117/gdm/Xauthority -background none -noreset -keeptty -verbose 3
root 933 1.2 2.7 365024 55792 tty2 Sl+ 14:27 0:04 /usr/lib/xorg/Xorg vt2 -displayfd 3 -auth /run/user/1000/gdm/Xauthority -background none -noreset -keeptty -verbose 3
How do I ensure that x.org isn't run by root as mentioned in Stretch's announcement?
thanks!