Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Debian 9 and X.org

If none of the specific sub-forums seem right for your thread, ask here.
Post Reply
Message
Author
debiantu
Posts: 18
Joined: 2017-03-18 22:41

Debian 9 and X.org

#1 Post by debiantu »

Hi all,

I've been reading Debian 9 reviews and found one at:
https://www.theregister.co.uk/2017/06/2 ... _9_review/

The part that I've found interesting to me is in the following:
While Secure Boot did not make the cut, there are many changes in this release that greatly improve the overall security of Debian. Among the most significant, X.Org no longer needs root privileges to run the display server. That eliminates an entire class of attacks that work by going after privilege escalation via X.Org. However, to run X.Org as non-root you'll need to install logind and libpam-systemd and use GDM 3 for your login tool since only GDM 3 supports running it without root privileges.
I was surprised to see this considering in Debian's announcement which can be found at:
https://lists.debian.org/debian-announc ... 00003.html
and you'll find the following:
Administrators and those in security-sensitive environments can be
comforted in the knowledge that the X display system no longer requires
"root" privileges to run.
I would believe the Debian release team on what they say in their announcements over what I read in some other website's article/review.

I decided to check things out myself and I'm running Debian 9 with the Mate desktop from a fresh install. I ran the following command:

Code: Select all

ps aux | grep X
and here's the result of what I get:

Code: Select all

root      571  0.8  5.6 531948 116616 tty7    Ssl+ 07:22  2:38 /usr/lib/xorg/Xorg :0 -seat seat0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch
So it looks like TheRegister's website is correct.. root is used to run X here. I'll need to install logind, libpam-systemd and use GDM3 for my login tool.

Looking through Synpatic - I don't see logind.. but do see login version 1:4.4-4.1 - is that it? I do have libpam-systemd installed.
GDM3 isn't installed.. I've installed that package.. but that looks like it installs the GNOME desktop - has a lot of dependencies...
Chose GDM to be the default.. and rebooted my computer - due to the system being in a Virtualbox machine along with Virtualbox's guest additions being installed - I found that I couldn't boot Debian. I couldn't find any info to uninstall Virtualbox's stuff out of Debian so I've reinstalled Debian with GNOME.

Running Debian with GNOME, I reran the ps aux command as mentioned above and got the following result:

Code: Select all

root      805  0.0  1.9 338572 40572 tty1    Sl+  14:17  0:00 /usr/lib/xorg/Xorg vt1 -displayfd 3 -auth /run/user/117/gdm/Xauthority -background none -noreset -keeptty -verbose 3
root      933  1.2  2.7 365024 55792 tty2    Sl+  14:27  0:04 /usr/lib/xorg/Xorg vt2 -displayfd 3 -auth /run/user/1000/gdm/Xauthority -background none -noreset -keeptty -verbose 3
I have the 3 above mentioned requirements as per TheRegister's article and it still shows root running X.

How do I ensure that x.org isn't run by root as mentioned in Stretch's announcement?

thanks!

milomak
Posts: 2158
Joined: 2009-06-09 22:20
Been thanked: 1 time

Re: Debian 9 and X.org

#2 Post by milomak »

maybe the logind that's part of systemd?

Code: Select all

# apt-file search logind 
bootstrap-vz: /usr/share/bootstrap-vz/bootstrapvz/common/assets/systemd/logind.conf
cinnamon-screensaver: /usr/share/cinnamon-screensaver/dbusdepot/logindClient.py
debops-playbooks: /usr/share/debops-playbooks/roles/debops.console/templates/etc/systemd/system/systemd-logind.service.d/hidepid.conf.j2
dynalogin-server: /etc/dynalogind.conf
dynalogin-server: /usr/sbin/dynalogind
dynalogin-server: /usr/share/man/man1/dynalogind.1.gz
fp-docs-3.0.0: /usr/share/doc/fp-docs/3.0.0/fcl/db/logindialogexproc.html
fp-docs-3.0.2: /usr/share/doc/fp-docs/3.0.2/fcl/db/logindialogexproc.html
gajim: /usr/share/gajim/src/logind_listener.py
libreoffice-common: /usr/lib/libreoffice/share/config/soffice.cfg/uui/ui/logindialog.ui
logcheck-database: /etc/logcheck/cracking.d/rlogind
logcheck-database: /etc/logcheck/ignore.d.server/klogind
manpages-it: /usr/share/man/it/man8/rlogind.8.gz
manpages-ja: /usr/share/man/ja/man8/rlogind.8.gz
manpages-zh: /usr/share/man/zh_CN/man5/logind.conf.5.gz
manpages-zh: /usr/share/man/zh_TW/man5/logind.conf.5.gz
neovim-runtime: /usr/share/nvim/runtime/ftplugin/logindefs.vim
neovim-runtime: /usr/share/nvim/runtime/syntax/logindefs.vim
python-dbusmock: /usr/lib/python2.7/dist-packages/dbusmock/templates/logind.py
python-dbusmock: /usr/share/doc/python-dbusmock/examples/test_logind.py
python3-dbusmock: /usr/lib/python3/dist-packages/dbusmock/templates/logind.py
python3-dbusmock: /usr/share/doc/python3-dbusmock/examples/test_logind.py
rsh-redone-server: /usr/sbin/in.rlogind
rsh-redone-server: /usr/share/man/man8/in.rlogind.8.gz
rsh-redone-server: /usr/share/man/man8/rlogind.8.gz
rsh-server: /usr/sbin/in.rlogind
rsh-server: /usr/share/man/man8/in.rlogind.8.gz
slony1-2-doc: /usr/share/doc/slony1-2-doc/adminguide/function.addpartiallogindices.html
systemd: /etc/systemd/logind.conf
systemd: /lib/systemd/system/multi-user.target.wants/systemd-logind.service
systemd: /lib/systemd/system/systemd-logind.service
systemd: /lib/systemd/systemd-logind
systemd: /usr/share/man/man5/logind.conf.5.gz
systemd: /usr/share/man/man5/logind.conf.d.5.gz
systemd: /usr/share/man/man8/systemd-logind.8.gz
systemd: /usr/share/man/man8/systemd-logind.service.8.gz
vim-runtime: /usr/share/vim/vim80/ftplugin/logindefs.vim
vim-runtime: /usr/share/vim/vim80/syntax/logindefs.vim
zenmap: /usr/lib/python2.7/dist-packages/zenmapGUI/higwidgets/higlogindialogs.py
Desktop: A320M-A PRO MAX, AMD Ryzen 5 3600, GALAX GeForce RTX™ 2060 Super EX (1-Click OC) - Sid, Win10, Arch Linux, Gentoo, Solus
Laptop: hp 250 G8 i3 11th Gen - Sid
Kodi: AMD Athlon 5150 APU w/Radeon HD 8400 - Sid

debiantu
Posts: 18
Joined: 2017-03-18 22:41

Re: Debian 9 and X.org

#3 Post by debiantu »

milomak,

I believe you're correct.. Now to wait for someone to reply on how to ensure that x.org doesn't use root to run. :)

Appreciate the tip with apt-file!

User avatar
None1975
df -h | participant
df -h | participant
Posts: 1389
Joined: 2015-11-29 18:23
Location: Russia, Kaliningrad
Has thanked: 45 times
Been thanked: 66 times

Re: Debian 9 and X.org

#4 Post by None1975 »

debiantu wrote:I have the 3 above mentioned requirements as per TheRegister's article and it still shows root running X.How do I ensure that x.org isn't run by root as mentioned in Stretch's announcement?thanks!
You do something wrong. According official anaunce
Only the gdm3 display manager supports running X as a non-privileged user in stretch. Other display managers will always run X as root. Alternatively, you can also start X manually as a non-root user on a virtual terminal via startx.
Personally, i don't use lightDM, Slim, gdm3, or crap like that. I use startx. Here of my output of

Code: Select all

ps aux | grep X
command:

Code: Select all

mindaug+   945  0.0  0.0  22312  2440 tty1     S+   15:13   0:00 xinit /home/mindaugas/.xinitrc -- /etc/X11/xinit/xserverrc :0 vt1 -keeptty -auth /tmp/serverauth.9rCX4qL4uM
mindaug+   946  3.9  2.9 465332 120696 tty1    Sl   15:13   1:59 /usr/lib/xorg/Xorg -nolisten tcp :0 vt1 -keeptty -auth /tmp/serverauth.9rCX4qL4uM
mindaug+  2510  0.0  0.0  12784   936 pts/3    S+   16:04   0:00 grep --color=auto X
OS: Debian 12.4 Bookworm / DE: Enlightenment
Debian Wiki | DontBreakDebian, My config files on github

User avatar
dilberts_left_nut
Administrator
Administrator
Posts: 5346
Joined: 2009-10-05 07:54
Location: enzed
Has thanked: 12 times
Been thanked: 66 times

Re: Debian 9 and X.org

#5 Post by dilberts_left_nut »

AdrianTM wrote:There's no hacker in my grandma...

ruffwoof
Posts: 298
Joined: 2016-08-20 21:00

Re: Debian 9 and X.org

#6 Post by ruffwoof »

Bumping a year+ old thread - as of Buster gksu is going. Its good practice to not run X as root, nor use gui to log into root.

Edit /etc/default/grub to
# GRUB_CMDLINE_LINUX_DEFAULT # comment out so textual boot messages
GRUB_CMDLINE_LINUX="text"
GRUB_TERMINAL="console"
.. and run update-grub && systemctl set-default multi-user.target

Set the system to auto login 'user' by editing /etc/systemd/logind.conf and change #NAutoVTs=6 to NAutoVTs=1 and also create /etc/systemd/system/getty@tty1.service.d/override.conf containing ...
[Service]
ExecStart=
ExecStart=-/sbin/agetty --autologin user --noclear %I 38400 linux
... and enable that by running systemctl enable getty@tty1.service

Set the system so you need to be a member of wheel group to su ... but don't add 'user' to the wheel group i.e. edit /etc/pam.d/su and uncomment the line auth required pam_wheel.so Whilst you could leave things as-is with user able to su, there's temptation for you to open a terminal in X and run su and enter the root password - which others could be watching.

Reboot and that auto logs you in as user on tty1, run startx to start your desktop. Use ctrl-alt-F6 to login at a console/cli into root. I like to increase the console font size by running dpkg-reconfigure console-setup and setting a larger font size. Installing/running tmux and mc are two nice additions to make the console look better IMO. Installing sudo and adding certain root commands/actions for user to that is another means of reducing having to use cli/console for root type actions.

Post Reply