Debian 9 and X.org

If none of the more specific forums is the right place to ask

Debian 9 and X.org

Postby debiantu » 2017-06-29 17:54

Hi all,

I've been reading Debian 9 reviews and found one at:
https://www.theregister.co.uk/2017/06/21/debian_9_review/

The part that I've found interesting to me is in the following:
While Secure Boot did not make the cut, there are many changes in this release that greatly improve the overall security of Debian. Among the most significant, X.Org no longer needs root privileges to run the display server. That eliminates an entire class of attacks that work by going after privilege escalation via X.Org. However, to run X.Org as non-root you'll need to install logind and libpam-systemd and use GDM 3 for your login tool since only GDM 3 supports running it without root privileges.


I was surprised to see this considering in Debian's announcement which can be found at:
https://lists.debian.org/debian-announce/2017/msg00003.html
and you'll find the following:
Administrators and those in security-sensitive environments can be
comforted in the knowledge that the X display system no longer requires
"root" privileges to run.


I would believe the Debian release team on what they say in their announcements over what I read in some other website's article/review.

I decided to check things out myself and I'm running Debian 9 with the Mate desktop from a fresh install. I ran the following command:
Code: Select all
ps aux | grep X

and here's the result of what I get:
Code: Select all
root      571  0.8  5.6 531948 116616 tty7    Ssl+ 07:22  2:38 /usr/lib/xorg/Xorg :0 -seat seat0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch


So it looks like TheRegister's website is correct.. root is used to run X here. I'll need to install logind, libpam-systemd and use GDM3 for my login tool.

Looking through Synpatic - I don't see logind.. but do see login version 1:4.4-4.1 - is that it? I do have libpam-systemd installed.
GDM3 isn't installed.. I've installed that package.. but that looks like it installs the GNOME desktop - has a lot of dependencies...
Chose GDM to be the default.. and rebooted my computer - due to the system being in a Virtualbox machine along with Virtualbox's guest additions being installed - I found that I couldn't boot Debian. I couldn't find any info to uninstall Virtualbox's stuff out of Debian so I've reinstalled Debian with GNOME.

Running Debian with GNOME, I reran the ps aux command as mentioned above and got the following result:
Code: Select all
root      805  0.0  1.9 338572 40572 tty1    Sl+  14:17  0:00 /usr/lib/xorg/Xorg vt1 -displayfd 3 -auth /run/user/117/gdm/Xauthority -background none -noreset -keeptty -verbose 3
root      933  1.2  2.7 365024 55792 tty2    Sl+  14:27  0:04 /usr/lib/xorg/Xorg vt2 -displayfd 3 -auth /run/user/1000/gdm/Xauthority -background none -noreset -keeptty -verbose 3


I have the 3 above mentioned requirements as per TheRegister's article and it still shows root running X.

How do I ensure that x.org isn't run by root as mentioned in Stretch's announcement?

thanks!
debiantu
 
Posts: 17
Joined: 2017-03-18 22:41

Re: Debian 9 and X.org

Postby milomak » 2017-06-29 18:02

maybe the logind that's part of systemd?
Code: Select all
# apt-file search logind
bootstrap-vz: /usr/share/bootstrap-vz/bootstrapvz/common/assets/systemd/logind.conf
cinnamon-screensaver: /usr/share/cinnamon-screensaver/dbusdepot/logindClient.py
debops-playbooks: /usr/share/debops-playbooks/roles/debops.console/templates/etc/systemd/system/systemd-logind.service.d/hidepid.conf.j2
dynalogin-server: /etc/dynalogind.conf
dynalogin-server: /usr/sbin/dynalogind
dynalogin-server: /usr/share/man/man1/dynalogind.1.gz
fp-docs-3.0.0: /usr/share/doc/fp-docs/3.0.0/fcl/db/logindialogexproc.html
fp-docs-3.0.2: /usr/share/doc/fp-docs/3.0.2/fcl/db/logindialogexproc.html
gajim: /usr/share/gajim/src/logind_listener.py
libreoffice-common: /usr/lib/libreoffice/share/config/soffice.cfg/uui/ui/logindialog.ui
logcheck-database: /etc/logcheck/cracking.d/rlogind
logcheck-database: /etc/logcheck/ignore.d.server/klogind
manpages-it: /usr/share/man/it/man8/rlogind.8.gz
manpages-ja: /usr/share/man/ja/man8/rlogind.8.gz
manpages-zh: /usr/share/man/zh_CN/man5/logind.conf.5.gz
manpages-zh: /usr/share/man/zh_TW/man5/logind.conf.5.gz
neovim-runtime: /usr/share/nvim/runtime/ftplugin/logindefs.vim
neovim-runtime: /usr/share/nvim/runtime/syntax/logindefs.vim
python-dbusmock: /usr/lib/python2.7/dist-packages/dbusmock/templates/logind.py
python-dbusmock: /usr/share/doc/python-dbusmock/examples/test_logind.py
python3-dbusmock: /usr/lib/python3/dist-packages/dbusmock/templates/logind.py
python3-dbusmock: /usr/share/doc/python3-dbusmock/examples/test_logind.py
rsh-redone-server: /usr/sbin/in.rlogind
rsh-redone-server: /usr/share/man/man8/in.rlogind.8.gz
rsh-redone-server: /usr/share/man/man8/rlogind.8.gz
rsh-server: /usr/sbin/in.rlogind
rsh-server: /usr/share/man/man8/in.rlogind.8.gz
slony1-2-doc: /usr/share/doc/slony1-2-doc/adminguide/function.addpartiallogindices.html
systemd: /etc/systemd/logind.conf
systemd: /lib/systemd/system/multi-user.target.wants/systemd-logind.service
systemd: /lib/systemd/system/systemd-logind.service
systemd: /lib/systemd/systemd-logind
systemd: /usr/share/man/man5/logind.conf.5.gz
systemd: /usr/share/man/man5/logind.conf.d.5.gz
systemd: /usr/share/man/man8/systemd-logind.8.gz
systemd: /usr/share/man/man8/systemd-logind.service.8.gz
vim-runtime: /usr/share/vim/vim80/ftplugin/logindefs.vim
vim-runtime: /usr/share/vim/vim80/syntax/logindefs.vim
zenmap: /usr/lib/python2.7/dist-packages/zenmapGUI/higwidgets/higlogindialogs.py
iMac - MacOS and Windows 10 (Bootcamp)/ Debian Sid (External SSD)
Laptop (64-bit) - Debian Sid, Win10,
Kodi Box - Debian Sid
milomak
 
Posts: 1678
Joined: 2009-06-09 22:20

Re: Debian 9 and X.org

Postby debiantu » 2017-06-30 11:00

milomak,

I believe you're correct.. Now to wait for someone to reply on how to ensure that x.org doesn't use root to run. :)

Appreciate the tip with apt-file!
debiantu
 
Posts: 17
Joined: 2017-03-18 22:41

Re: Debian 9 and X.org

Postby None1975 » 2017-06-30 12:15

debiantu wrote:I have the 3 above mentioned requirements as per TheRegister's article and it still shows root running X.How do I ensure that x.org isn't run by root as mentioned in Stretch's announcement?thanks!

You do something wrong. According official anaunce
Only the gdm3 display manager supports running X as a non-privileged user in stretch. Other display managers will always run X as root. Alternatively, you can also start X manually as a non-root user on a virtual terminal via startx.

Personally, i don't use lightDM, Slim, gdm3, or crap like that. I use startx. Here of my output of
Code: Select all
ps aux | grep X
command:
Code: Select all
mindaug+   945  0.0  0.0  22312  2440 tty1     S+   15:13   0:00 xinit /home/mindaugas/.xinitrc -- /etc/X11/xinit/xserverrc :0 vt1 -keeptty -auth /tmp/serverauth.9rCX4qL4uM
mindaug+   946  3.9  2.9 465332 120696 tty1    Sl   15:13   1:59 /usr/lib/xorg/Xorg -nolisten tcp :0 vt1 -keeptty -auth /tmp/serverauth.9rCX4qL4uM
mindaug+  2510  0.0  0.0  12784   936 pts/3    S+   16:04   0:00 grep --color=auto X
OS: Debian 8.9 / WM: xmonad
Debian Wiki | DontBreakDebian
User avatar
None1975
 
Posts: 189
Joined: 2015-11-29 18:23
Location: Lithuania

Re: Debian 9 and X.org

Postby dilberts_left_nut » 2017-06-30 12:21

AdrianTM wrote:There's no hacker in my grandma...
User avatar
dilberts_left_nut
 
Posts: 4686
Joined: 2009-10-05 07:54
Location: enzed


Return to General Questions

Who is online

Users browsing this forum: Bulkley and 9 guests

fashionable