Debian 9 and

If none of the more specific forums is the right place to ask

Debian 9 and

Postby debiantu » 2017-06-29 17:54

Hi all,

I've been reading Debian 9 reviews and found one at:

The part that I've found interesting to me is in the following:
While Secure Boot did not make the cut, there are many changes in this release that greatly improve the overall security of Debian. Among the most significant, X.Org no longer needs root privileges to run the display server. That eliminates an entire class of attacks that work by going after privilege escalation via X.Org. However, to run X.Org as non-root you'll need to install logind and libpam-systemd and use GDM 3 for your login tool since only GDM 3 supports running it without root privileges.

I was surprised to see this considering in Debian's announcement which can be found at:
and you'll find the following:
Administrators and those in security-sensitive environments can be
comforted in the knowledge that the X display system no longer requires
"root" privileges to run.

I would believe the Debian release team on what they say in their announcements over what I read in some other website's article/review.

I decided to check things out myself and I'm running Debian 9 with the Mate desktop from a fresh install. I ran the following command:
Code: Select all
ps aux | grep X

and here's the result of what I get:
Code: Select all
root      571  0.8  5.6 531948 116616 tty7    Ssl+ 07:22  2:38 /usr/lib/xorg/Xorg :0 -seat seat0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch

So it looks like TheRegister's website is correct.. root is used to run X here. I'll need to install logind, libpam-systemd and use GDM3 for my login tool.

Looking through Synpatic - I don't see logind.. but do see login version 1:4.4-4.1 - is that it? I do have libpam-systemd installed.
GDM3 isn't installed.. I've installed that package.. but that looks like it installs the GNOME desktop - has a lot of dependencies...
Chose GDM to be the default.. and rebooted my computer - due to the system being in a Virtualbox machine along with Virtualbox's guest additions being installed - I found that I couldn't boot Debian. I couldn't find any info to uninstall Virtualbox's stuff out of Debian so I've reinstalled Debian with GNOME.

Running Debian with GNOME, I reran the ps aux command as mentioned above and got the following result:
Code: Select all
root      805  0.0  1.9 338572 40572 tty1    Sl+  14:17  0:00 /usr/lib/xorg/Xorg vt1 -displayfd 3 -auth /run/user/117/gdm/Xauthority -background none -noreset -keeptty -verbose 3
root      933  1.2  2.7 365024 55792 tty2    Sl+  14:27  0:04 /usr/lib/xorg/Xorg vt2 -displayfd 3 -auth /run/user/1000/gdm/Xauthority -background none -noreset -keeptty -verbose 3

I have the 3 above mentioned requirements as per TheRegister's article and it still shows root running X.

How do I ensure that isn't run by root as mentioned in Stretch's announcement?

Posts: 18
Joined: 2017-03-18 22:41

Re: Debian 9 and

Postby milomak » 2017-06-29 18:02

maybe the logind that's part of systemd?
Code: Select all
# apt-file search logind
bootstrap-vz: /usr/share/bootstrap-vz/bootstrapvz/common/assets/systemd/logind.conf
cinnamon-screensaver: /usr/share/cinnamon-screensaver/dbusdepot/
debops-playbooks: /usr/share/debops-playbooks/roles/debops.console/templates/etc/systemd/system/systemd-logind.service.d/hidepid.conf.j2
dynalogin-server: /etc/dynalogind.conf
dynalogin-server: /usr/sbin/dynalogind
dynalogin-server: /usr/share/man/man1/dynalogind.1.gz
fp-docs-3.0.0: /usr/share/doc/fp-docs/3.0.0/fcl/db/logindialogexproc.html
fp-docs-3.0.2: /usr/share/doc/fp-docs/3.0.2/fcl/db/logindialogexproc.html
gajim: /usr/share/gajim/src/
libreoffice-common: /usr/lib/libreoffice/share/config/soffice.cfg/uui/ui/logindialog.ui
logcheck-database: /etc/logcheck/cracking.d/rlogind
logcheck-database: /etc/logcheck/ignore.d.server/klogind
manpages-it: /usr/share/man/it/man8/rlogind.8.gz
manpages-ja: /usr/share/man/ja/man8/rlogind.8.gz
manpages-zh: /usr/share/man/zh_CN/man5/logind.conf.5.gz
manpages-zh: /usr/share/man/zh_TW/man5/logind.conf.5.gz
neovim-runtime: /usr/share/nvim/runtime/ftplugin/logindefs.vim
neovim-runtime: /usr/share/nvim/runtime/syntax/logindefs.vim
python-dbusmock: /usr/lib/python2.7/dist-packages/dbusmock/templates/
python-dbusmock: /usr/share/doc/python-dbusmock/examples/
python3-dbusmock: /usr/lib/python3/dist-packages/dbusmock/templates/
python3-dbusmock: /usr/share/doc/python3-dbusmock/examples/
rsh-redone-server: /usr/sbin/in.rlogind
rsh-redone-server: /usr/share/man/man8/in.rlogind.8.gz
rsh-redone-server: /usr/share/man/man8/rlogind.8.gz
rsh-server: /usr/sbin/in.rlogind
rsh-server: /usr/share/man/man8/in.rlogind.8.gz
slony1-2-doc: /usr/share/doc/slony1-2-doc/adminguide/function.addpartiallogindices.html
systemd: /etc/systemd/logind.conf
systemd: /lib/systemd/system/
systemd: /lib/systemd/system/systemd-logind.service
systemd: /lib/systemd/systemd-logind
systemd: /usr/share/man/man5/logind.conf.5.gz
systemd: /usr/share/man/man5/logind.conf.d.5.gz
systemd: /usr/share/man/man8/systemd-logind.8.gz
systemd: /usr/share/man/man8/systemd-logind.service.8.gz
vim-runtime: /usr/share/vim/vim80/ftplugin/logindefs.vim
vim-runtime: /usr/share/vim/vim80/syntax/logindefs.vim
zenmap: /usr/lib/python2.7/dist-packages/zenmapGUI/higwidgets/
Desktop: iMac Late-2015 27" 5K Retina (17,1 - 3.3GHz) - MacOS and Windows 10 (Bootcamp)/ Sid (External SSD)
Laptop: Lenovo ideapad Y700-15ISK [nVidia Optimus] (64-bit) - Sid, Win10, Solus
Kodi Box: AMD Athlon 5150 APU w/Radeon HD 8400 - Sid
Posts: 2039
Joined: 2009-06-09 22:20

Re: Debian 9 and

Postby debiantu » 2017-06-30 11:00


I believe you're correct.. Now to wait for someone to reply on how to ensure that doesn't use root to run. :)

Appreciate the tip with apt-file!
Posts: 18
Joined: 2017-03-18 22:41

Re: Debian 9 and

Postby None1975 » 2017-06-30 12:15

debiantu wrote:I have the 3 above mentioned requirements as per TheRegister's article and it still shows root running X.How do I ensure that isn't run by root as mentioned in Stretch's announcement?thanks!

You do something wrong. According official anaunce
Only the gdm3 display manager supports running X as a non-privileged user in stretch. Other display managers will always run X as root. Alternatively, you can also start X manually as a non-root user on a virtual terminal via startx.

Personally, i don't use lightDM, Slim, gdm3, or crap like that. I use startx. Here of my output of
Code: Select all
ps aux | grep X
Code: Select all
mindaug+   945  0.0  0.0  22312  2440 tty1     S+   15:13   0:00 xinit /home/mindaugas/.xinitrc -- /etc/X11/xinit/xserverrc :0 vt1 -keeptty -auth /tmp/serverauth.9rCX4qL4uM
mindaug+   946  3.9  2.9 465332 120696 tty1    Sl   15:13   1:59 /usr/lib/xorg/Xorg -nolisten tcp :0 vt1 -keeptty -auth /tmp/serverauth.9rCX4qL4uM
mindaug+  2510  0.0  0.0  12784   936 pts/3    S+   16:04   0:00 grep --color=auto X
OS: Debian 10.3 Buster / WM: xmonad
Debian Wiki | DontBreakDebian, My config files on github
User avatar
Posts: 1015
Joined: 2015-11-29 18:23
Location: Lithuania, Vilnius

Re: Debian 9 and

Postby dilberts_left_nut » 2017-06-30 12:21

AdrianTM wrote:There's no hacker in my grandma...
User avatar
Posts: 5054
Joined: 2009-10-05 07:54
Location: enzed

Re: Debian 9 and

Postby ruffwoof » 2018-10-01 07:07

Bumping a year+ old thread - as of Buster gksu is going. Its good practice to not run X as root, nor use gui to log into root.

Edit /etc/default/grub to
# GRUB_CMDLINE_LINUX_DEFAULT # comment out so textual boot messages
.. and run update-grub && systemctl set-default

Set the system to auto login 'user' by editing /etc/systemd/logind.conf and change #NAutoVTs=6 to NAutoVTs=1 and also create /etc/systemd/system/getty@tty1.service.d/override.conf containing ...
ExecStart=-/sbin/agetty --autologin user --noclear %I 38400 linux
... and enable that by running systemctl enable getty@tty1.service

Set the system so you need to be a member of wheel group to su ... but don't add 'user' to the wheel group i.e. edit /etc/pam.d/su and uncomment the line auth required Whilst you could leave things as-is with user able to su, there's temptation for you to open a terminal in X and run su and enter the root password - which others could be watching.

Reboot and that auto logs you in as user on tty1, run startx to start your desktop. Use ctrl-alt-F6 to login at a console/cli into root. I like to increase the console font size by running dpkg-reconfigure console-setup and setting a larger font size. Installing/running tmux and mc are two nice additions to make the console look better IMO. Installing sudo and adding certain root commands/actions for user to that is another means of reducing having to use cli/console for root type actions.
Posts: 298
Joined: 2016-08-20 21:00

Return to General Questions

Who is online

Users browsing this forum: No registered users and 11 guests