DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 16th December 2018
behemoth's Avatar
behemoth behemoth is offline
UnixCentric life
 
Join Date: Jun 2014
Posts: 3
Default setuid bit removed from /usr/X11R6/bin/Xorg

So startx can no longer be used by non-root users.

The best way to start Xorg by non-root users now is:

# rcctl enable xenodm
# rcctl start xenodm

but I prefer to have a command line option as before.

Any solutions?
__________________
"Information wants to be free"
Reply With Quote
  #2   (View Single Post)  
Old 16th December 2018
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,596
Default

You can have xenodm autologin on boot.

The only way to start X from command line is as root, which is not a best practice.
Reply With Quote
  #3   (View Single Post)  
Old 16th December 2018
behemoth's Avatar
behemoth behemoth is offline
UnixCentric life
 
Join Date: Jun 2014
Posts: 3
Default

Ok, many thanks.
__________________
"Information wants to be free"
Reply With Quote
  #4   (View Single Post)  
Old 16th December 2018
Head_on_a_Stick's Avatar
Head_on_a_Stick Head_on_a_Stick is offline
Real Name: Matthew
Bloaty McBloatFace
 
Join Date: Dec 2015
Location: London
Posts: 133
Default

If the setuid bit is manually re-applied then X will run from a console log in as the normal user (but this is also not best practice).
Code:
doas chmod u+s $(which Xorg)
Use `chmod u-s` to revert the change.
__________________
Linux is for people who hate Windows. BSD is for people who love UNIX.
Reply With Quote
  #5   (View Single Post)  
Old 16th December 2018
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,596
Default

Which runs X as root.
Reply With Quote
  #6   (View Single Post)  
Old 17th December 2018
Head_on_a_Stick's Avatar
Head_on_a_Stick Head_on_a_Stick is offline
Real Name: Matthew
Bloaty McBloatFace
 
Join Date: Dec 2015
Location: London
Posts: 133
Default

Quote:
Originally Posted by jggimi View Post
Which runs X as root.
Well, it runs X with elevated privileges, yes, but `top` shows that the process is owned by my user:
Code:
62974 empty      2    0   18M   27M sleep/0   poll      0:08  1.76% Xorg
I thought this was what the OP wanted, apologies for the noise if I was mistaken.
__________________
Linux is for people who hate Windows. BSD is for people who love UNIX.
Reply With Quote
  #7   (View Single Post)  
Old 17th December 2018
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,596
Default

It's a very useful observation, and worthy of discussion.
  1. If the setuid and setgid file mode bits are observed by the OS,
  2. the executed process is run with the permissions and authority of the user and/or group of the file.
  3. The user owner of /usr/X11R6/bin/X is root.
The OS has a mechanism for preventing the use of setgid/setuid divisible by mount point: the mount option nosuid. When set, the OS ignores the setuid and setgid file mode bits of any executable. Unfortunately, the nosuid mount option cannot be set for the filesystem containing /usr/X11R6/bin, as xterm(1) and xlock(1) must use setgid.

X has been shown to have security problems. As an example of this, see patch 001 for 6.4-release. The Project recommended disabling the setuid bit immediately, until the patch could be applied.

The project has improved the security of X further, by disabling the setuid bit permanently for the next release, and requiring the use of xenodm(1) and its privilege separation to initiate the use of X. See the 2016/10/26 entry of the Following -current FAQ.

By re-enabling the setuid bit, you are running X with the permissions and authority of root, and disabling a security feature of the OS.

You might want to reconsider your decision. If for no other reason than this: you might use a browser that runs code provided by a website.

Last edited by jggimi; 17th December 2018 at 12:37 PM. Reason: clarity
Reply With Quote
  #8   (View Single Post)  
Old 17th December 2018
Head_on_a_Stick's Avatar
Head_on_a_Stick Head_on_a_Stick is offline
Real Name: Matthew
Bloaty McBloatFace
 
Join Date: Dec 2015
Location: London
Posts: 133
Default

^ Thanks for the extended explanation, it is very much appreciated.

Quote:
Originally Posted by jggimi View Post
You might want to reconsider your decision.
I enabled the setuid bit for test purposes only, I usually run xenodm.

Thanks again for the good advice.
__________________
Linux is for people who hate Windows. BSD is for people who love UNIX.
Reply With Quote
  #9   (View Single Post)  
Old 17th December 2018
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,596
Default

OpenBSD is "Secure by Default." As we can accidentally make our OpenBSD systems "Insecure by Admin," its always a good idea to discuss the security implications of our implementation choices.
Reply With Quote
Old 19th December 2018
hermano hermano is offline
Port Guard
 
Join Date: Mar 2017
Posts: 18
Default

Thanks for this discussion. I haven't run into this issue yet, but I guess I will pretty soon!
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenBSD Opera will be removed for 5.8 jggimi News 16 26th March 2017 03:35 PM
OpenBSD kern.usermount removed for OpenBSD 6.0 jggimi News 1 15th July 2016 03:47 PM
systrace(1) is removed for OpenBSD 6.0 jggimi OpenBSD Security 6 27th April 2016 11:26 AM
help setting gnokii .. setuid and gid bits daemonfowl OpenBSD Packages and Ports 4 18th August 2012 03:34 AM
Is /usr/X11R6/include/ supposed to be in $CPATH kasse OpenBSD General 4 3rd December 2008 05:34 PM


All times are GMT. The time now is 01:08 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick