[Secure-testing-team] Bug#809067: lightdm should no longer run the Xorg server as root

Vincent Lefevre vincent at vinc17.net
Sat Dec 26 22:06:09 UTC 2015 

Package: lightdm
Version: 1.16.6-1
Severity: wishlist
Tags: security

The Xorg server no longer needs to be run as root, for security
reasons. See /usr/share/doc/xserver-xorg-core/NEWS.Debian.gz

xorg-server (2:1.17.3-1) unstable; urgency=medium

  The Xorg server is no longer setuid root by default.  This change reduces the
  risk of privilege escalation due to X server bugs, but has some side effects:

  * it relies on logind and libpam-systemd
  * it relies on a kernel video driver (so the userspace component doesn't
    touch the hardware directly)
  * it needs X to run on the virtual console (VT) it was started from
  * it changes the location for storing the Xorg log from /var/log/ to
    ~/.local/share/xorg/

  On systems where those are not available, the new xserver-xorg-legacy package
  is needed to allow X to run with elevated privileges.  See the
  Xwrapper.config(5) manual page for configuration details.

 -- Julien Cristau <jcristau at debian.org>  Tue, 27 Oct 2015 22:54:11 +0000

but lightdm still runs it as root:

UID        PID  PPID  C STIME TTY          TIME CMD
root     19600   850  1 Dec22 tty7     01:13:20 /usr/lib/xorg/Xorg :0 -seat seat0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch

-- System Information:
Debian Release: stretch/sid
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.3.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages lightdm depends on:
ii  adduser                                3.113+nmu3
ii  dbus                                   1.10.6-1
ii  debconf [debconf-2.0]                  1.5.58
ii  libaudit1                              1:2.4.5-1
ii  libc6                                  2.21-6
ii  libgcrypt20                            1.6.4-4
ii  libglib2.0-0                           2.46.2-3
ii  libpam-systemd                         228-2+b1
ii  libpam0g                               1.1.8-3.1
ii  libxcb1                                1.11.1-1
ii  libxdmcp6                              1:1.1.2-1
ii  lightdm-gtk-greeter [lightdm-greeter]  2.0.1-2+local1

Versions of packages lightdm recommends:
ii  xserver-xorg  1:7.7+12

Versions of packages lightdm suggests:
pn  accountsservice  <none>
pn  upower           <none>

-- Configuration Files:
/etc/lightdm/lightdm.conf changed:
[LightDM]
[Seat:*]
greeter-hide-users=false
[XDMCPServer]
[VNCServer]


-- debconf information:
  lightdm/daemon_name: /usr/sbin/lightdm
* shared/default-x-display-manager: lightdm

More information about the Secure-testing-team mailing list