OpenBSD 6.4 lost X windows for user

[staus]

Just installed the latest version 6.4 on my Lenovo laptop. It was working absolutely perfectly for me using the Blackbox wm. I saw the latest patch 001 and did a syspatch. After that I can no longer get X11 to run for a user, only root.

This is what is in the Xorg.0.log file for the user:

failed to open /dev/xf86 and /dev/mem, permission denied

also:

check that the /etc/sysctl.conf file has 'machdep.allowaperature=1'

No screens found, server terminated.

The /etc/sysctl.conf file didn't exist. I created it. and now when the system is booting up an error is displayed saying - machdep.allowaperature=1, second level name is invalid

I still have root running X11, but not a user. Not sure if the patch killed X or not.

Please help

[jggimi]

The second level name is "aperture" - it contains only one "a".

(I'm running -current on my laptop and 6.3 on production servers, and have not yet deployed this patch yet, so I am not yet able to recreate your problem.)

[staus]

Thanks a lot. I probably did misspell 'aperture'. I will make the change tomorrow and let you know. I still have no idea what 'machdep.allowaperture=1' means or does, and why now after a patch.

[Prevet]

I had some trouble with a video card not being detected, so I changed that value. I discussed it on the forums a while back, so if you search on it it might help you. There is a sample sysctl.conf file in the /etc/examples folder. If you look up machdep.allowaperture in that file there is a comment to read the man entry for xf86.

I wonder if the problem could be anything to do with this?
http://daemonforums.org/showthread.php?t=10811

[jggimi]

Intel and Radeon video cards which use Kernel Mode Setting (KMS) via drm(4) do not use the xf86(4) aperture driver. Users of those cards will still see a warning message in the Xorg log, which can be ignored.

However, since I don't have the patch installed on any of my systems -- my -current laptop is about a week old, and my production systems are 6.3 and aren't X-capable, I can only conjecture that there is some sort of permissions issue going on here. Perhaps due to how X is being started.

[bsd007]

I too cant start xfce after installing the patch. Very frustrating. I am using Lubuntu now.

[jggimi]

OK. I'm going to recommend the following steps for staus and bsd007.

First start X with xenodm(1) if you are not already doing so. If you are already doing so, please let us know.

1. xenodm(1) requires the use of a .xsession script in your user's home directory.

   If you don't have one because you use startx(1) or xinit(1) instead, you can link your user's .xinitrc script to it. When logged in on the console as your user, change directory to your user's home directory and link the file with $ ln .xinitrc .xsession.

2. Enable xenodm to start on boot with # rcctl enable xenodm.
3. # reboot.

Second if that does not solve the problem, please let us know. Post your full dmesg(8) and /var/log/Xorg.0.log files here, or, if you prefer, reach out to the OpenBSD Project by submitting a bug report. I have not seen a problem report on the bugs@ mailing list regarding this issue yet, which is why I will guess using xenodm(1) may solve the problem. Bug reporting instructions may be found here: https://www.openbsd.org/report.html

[fvgit]

The fallout of the setuid removal for the x server is starting to hit the mailing lists. Looks like jggimi's assessment is spot on, as usual:

Quote:

I had a startx setup, which broke. When I switched to xenodm, it works
fine, plus it needed moving the ~/.xinitrc + ~/.xsession files away.
Can somebody
please add an entry to current.html in the FAQ?

https://marc.info/?l=openbsd-cvs&m=154055902931851&w=2

[staus]

I followed jggimi's advice, and I have been able to start X as a user again.

Thanks.

[jmccue]

No Issues with xenodm(1) here after the patch (6.4).

When the news hit, I removed the setuid /usr/X11R6/bin/Xorg as soon as I read about it, late yesterday night I applied the patch.

The interesting thing was the patch turned on the setiud (which I removed afterwards). I was thinking it would be removed by the patch, but I may have mis-read the lists

Anyway, very impressed with the speed of the fix by the OpenBSD team

[acampbell]

Thanks, Iggimi, for the information about Xenodm. This certainly gets X working. But I'm left with some niggles which I'm still trying to resolve, and I have to admit to being sorely tempted to restore setuid to Xorg as I'm the only user with access to my desktop. Would thjs be very unwise?

[fvgit]

If you do that, someone who manages to compromise your box remotely by any 3rd party software, for instance browser, irc, anything networked etc. will have priviledge escalation presented on a silver platter.

Think of it this way: this was a bug in the base system. Who knows how many exploitable bugs (in one way or another) are lingering undetected somewhere in the ports tree?

Your threat assesment probably depends on your level of paranoia. I know I wouldn't do it.

EDIT: I just realised your system is in a post patch state, which means the dangerous option was removed IIRC. But still, you'd be giving a binary unnecessary priviledges which you don't really need.

[jggimi]

Quote:

Originally Posted by acampbell

...unwise?

Yes, I believe it is unwise. True, you are the only user with physical access to your workstation. And yes, this is considered a local exploit. Unfortunately, physical access is not required to execute local programs. Consider:

• You use a browser.
• You browser executes instructions locally, which are sent to it from remote websites. (the obvious example: JavaScript)
• You connect to websites you explicitly intend to connect to, such as this one.
• You also connect to many, many, many more websites than those you explicitly intend to connect to.

If you have operational issues using xenodm(1), which is the Project's recommended solution, then open a new thread discussing them.

[acampbell]

Thanks to both for replies. Makes sense. I hope the startx issue gets resolved later.

Meanwhile, I'll fiddle some more with Xenodm and if I can't find a solution I'll start a new thread as suggested.

[TheTKS]

OpenBSDE 6.4 + XFCE, X wouldn't start for users but did for root after xserver patch - mostly recovered

Here's how I installed 6.4 with XFCE and mostly recovered after the xserver patch broke a few things

- Installed OpenBSD 6.4 with XFCE late this past week, not using xenodm, starting XFCE via command startxfce4, two local users (one in wheel group, one not - I'm using this installation to learn OpenBSD)
- XFCE started from console via startxfce4 command and worked as expected for root and each user, installed a few packages
- After patch, XFCE opened and worked as expected only for root. For both wheel and non-wheel users, XFCE and wm's would not launch as described in OpenBSD Misc mailing list thread titled "can't start X in 6.4"
- Enabled and started xenodm, rebooted
- XFCE still launched and ran normally for root, signing in from xenodm sign in page
- Users launched in fvwm from xenodm sign in page. From console, if I ran startxfce4, panels would appear, but XFCE wallpaper didn't and windows were fvwm
- To each of /root, /home/UserInWheelGroup and /home/UserNotInWheelGroup, I used nano to create .xsession with command *startxfce4 [edited] exec startxfce4*, rebooted
- Now XFCE launches and runs normally for wheel and non-wheel users from xenodm sign in page
- Now can't sign in as root from xenodm sign in page. Is this normal? If so, fine (but how do I sign in as root, if I want to?) If not, then I still have to figure this bit out.

TKS


Sources
- RibaLinux instructions to install 6.0 with XFCE (but skipping some steps and adapting instructions to 6.4)
- OpenBSD Misc mailing list, thread titled "can't start X in 6.4". Theo said switch to xenodm.
- https://www.openbsd.org/faq/faq11.html "The X Window system"
- Posts in this thread earlier than this one. Special thanks to jggimi in post 7.

[shep]

Quote:

Originally Posted by TheTKS

- Now can't sign in as root from xenodm sign in page. Is this normal? If so, fine (but how do I sign in as root, if I want to?) If not, then I still have to figure this bit out.

By default, there are 5 virtual terminals with Xorg/Xfce4 taking the 5th (Mueller Pun).

<Ctrl>+<Alt>+<F3> will bring up the 3rd Virtual terminal and you can login as root or a user.

[jggimi]

Quote:

Originally Posted by TheTKS

...Now can't sign in as root from xenodm sign in page. Is this normal?

No. If you have NO .xsession file, root will log on with the fvwm(1) window manager. It is likely that your /root/.xsession file is misconfigured. There might be errors listed within /var/log/xenodm.log.

It is possible to prevent root login through setting the Authentication Widget xlogin.Login.allowRootLogin to false, but this would have been something you would have been aware of doing.

[hitest]

Quote:

Originally Posted by TheTKS

OpenBSDE 6.4 + XFCE, X wouldn't start for users but did for root after xserver patch - mostly recovered

I have XFCE4 working for a regular user with xenodm, all patches applied. I installed consolekit2 which I found from a how to on the web.

Here's my /etc/rc.conf.local:

Code:

bsd$ cat /etc/rc.conf.local
xenodm_flags=""
pkg_scripts="messagebus"
ntpd_flags="-s"

Here's my .xession file:

Code:

bsd$ cat .xsession
exec ck-launch-session startxfce4

I also don't like that xconsole popping up all the time so I commented it out:

Code:

bsd$ cat /etc/X11/xenodm/Xsetup_0
#!/bin/sh
# $OpenBSD: Xsetup_0,v 1.5 2018/07/17 11:52:12 matthieu Exp $

#xconsole -geometry 480x130-0-0 -daemon -notify -verbose -fn fixed 
-exitOnFail

# sxpm OpenBSD.xpm &

[TheTKS]

Quote:

Originally Posted by hitest

I have XFCE4 working for a regular user with xenodm, all patches applied. I installed consolekit2 which I found from a how to on the web.

Here's my /etc/rc.conf.local:

Code:

bsd$ cat /etc/rc.conf.local
xenodm_flags=""
pkg_scripts="messagebus"
ntpd_flags="-s"

Here's my .xession file:

Code:

bsd$ cat .xsession
exec ck-launch-session startxfce4

I also don't like that xconsole popping up all the time so I commented it out:

Code:

bsd$ cat /etc/X11/xenodm/Xsetup_0
#!/bin/sh
# $OpenBSD: Xsetup_0,v 1.5 2018/07/17 11:52:12 matthieu Exp $

#xconsole -geometry 480x130-0-0 -daemon -notify -verbose -fn fixed 
-exitOnFail

# sxpm OpenBSD.xpm &

As of today:

- Both syspatches applied

- My /etc/rc.conf.local contains

Code:

xenodm_flags=""

- My two user .xsessions contain only

Code:

exec startxfce4

I will look into what your extra term does

... and XFCE launches for both regular users. None of the X error messages showed up that other people have been reporting after syspatch 2 (which Theo has said in the mailing lists not to worry about.)

hitest, thanks for the tip on getting rid of xconsole. Not a big deal for me, but it is distracting and I haven't yet seen it display any useful info, which if there were, I expect will be in a log.


TKS

[hitest]

Quote:

Originally Posted by TheTKS

- My two user .xsessions contain only

Code:

exec startxfce4

I will look into what your extra term does

I can shutdown my computer by clicking on my name and clicking on shutdown. I don't need a terminal prompt to shutdown XFCE.