The officially official Devuan Forum!

You are not logged in.

#1 2017-09-12 11:18:07

fsmithred
Administrator
Registered: 2016-11-25
Posts: 2,486  

xserver-xorg-legacy in ascii

To get X to work in ascii and beyond...

1. Install xserver-xorg-legacy   (This might be all you need to do.)

2. (maybe)
If you don't use a display manager (like slim or lightdm) and want to use 'startx' to get a graphical session, you'll need to run this command once (or edit the file manually)

echo "needs_root_rights=yes" >> /etc/X11/Xwrapper.config

3. (you tell me. I predict there will be more needed in the future.)

Offline

#2 2017-09-12 12:05:59

hunger
Member
Registered: 2017-04-28
Posts: 6  

Re: xserver-xorg-legacy in ascii

The second step will cause the X server to be started as root, which is a really bad idea(TM). The first step might already do that (since Xwrapper defaults to "auto").

https://media.ccc.de/v/30C3_-_5499_-_en … n_sprundel has an introduction to X server security.

Offline

#3 2017-09-14 08:20:16

korgull
Member
Registered: 2017-09-14
Posts: 2  

Re: xserver-xorg-legacy in ascii

Well, the display manager also launches Xorg as root:

root      2109  1.7  1.2 469952 99548 tty7     Ssl+ 07:52   2:31 /usr/lib/xorg/Xorg -nolisten tcp -auth /var/run/slim.auth vt07

Or am I wrong?

Btw: Is it intrinsic to systemd to run Xorg as user?

Is there any other solution as of now?

Last edited by korgull (2017-09-14 08:22:10)

Offline

#4 2017-09-14 11:46:15

fsmithred
Administrator
Registered: 2016-11-25
Posts: 2,486  

Re: xserver-xorg-legacy in ascii

Yes, X has been running as root forever, and that only changed with stretch. I don't know the details of how systemd works with that, but the dependence of xorg on systemd also appeared with stretch. According to the linked video, the solution is to switch to wayland. (That's an over-simplified explanation. In fact, a lot of bugs have been fixed as a result of  that guy's work.)

Offline

#5 2017-09-18 23:08:50

miroR
Member
From: Zagreb, Croatia
Registered: 2016-11-30
Posts: 217  
Website

Re: xserver-xorg-legacy in ascii

fsmithred wrote:

Yes, X has been running as root forever, and that only changed with stretch. I don't know the details of how systemd works with that, but the dependence of xorg on systemd also appeared with stretch.
...

The one and the other change not be of the kind to put together as similar (not saying that you are doing so).
The change with Xorg is praisewothy (but probably came to be because the exploits went mad on Xorg...), the other change is sad as can be...
fsmithred, I just sent an email to dng mailing list (and to a few Devauners of the thread on Xorg, one of them being you).
And then I see this documentation post...
Good! Let's wait and see if my email to DNG ML appears at:
...
Gosh! It appeared! Phew! Feeling muuuch better now smile!
Here:

Subject: Re: [DNG] upgrade from Debian stretch to Devuan ascii?
https://lists.dyne.org/lurker/message/2 … f1.en.html

Readers here, take note that it is absolutely best for security of your Devuan boxen if you manage to use Xorg the new way, not as root!

Happy smile !

Last edited by miroR (2017-09-18 23:09:23)


Devs/testers/users of FOSS, what might be ahead for GNU/Linux after we lost PaX Team and spender? spender wrote:
https://forums.grsecurity.net/viewtopic … 699#p17127
Google made the choice to engage in underhanded competition against us with our own code...
grsecurity ripoff by Google, w/ Linus approval https://lists.dyne.org/lurker/message/2 … 4b.en.html

Offline

#6 2018-01-25 22:36:42

thierrybo
Member
Registered: 2017-11-11
Posts: 107  

Re: xserver-xorg-legacy in ascii

Yes,

as I came also myself in xinit not running on  a minimal install without systemd, policykit and consolekit,  it turns out that  xserver-xorg-legacy was build specifically for  "legacy" debian setups without systemd :

xorg-server (2:1.17.3-1) unstable; urgency=medium

The Xorg server is no longer setuid root by default. This change reduces the
risk of privilege escalation due to X server bugs, but has some side effects:

* it relies on logind and libpam-systemd
* it relies on a kernel video driver (so the userspace component doesn't
touch the hardware directly) ->  kernel mode setting (KMS)
* it needs X to run on the virtual console (VT) it was started from
* it changes the location for storing the Xorg log from /var/log/ to
~/.local/share/xorg/

On systems where those are not available, the new xserver-xorg-legacy package
is needed to allow X to run with elevated privileges.
See the
Xwrapper.config(5) manual page for configuration details.

-- Julien Cristau <jcristau@debian.org> Tue, 27 Oct 2015 22:54:11 +0000

Offline

#7 2018-03-16 18:55:38

mmaglis
Member
From: Berlin - Germany
Registered: 2018-03-16
Posts: 32  

Re: xserver-xorg-legacy in ascii

I am running Devuan ASCII. I had the xserver-xorg-legacy installed so far, but decided to remove it and see if things work without it.

They do! I startx from console as normal user. xinit & Xorg run as normal user.
No elogind, no polkit, no dbus here.
No issue.

I have not tried it with a display manager (e.g. slim) yet.
Have things changed recently?

Offline

#8 2018-03-17 13:17:12

fsmithred
Administrator
Registered: 2016-11-25
Posts: 2,486  

Re: xserver-xorg-legacy in ascii

Obviously, something has changed. I can confirm that it now works. I had to do a few things to get it to work...

- removed xserver-xorg-legacy
- disbled my display manager (lxdm)
- tried startx, it wouldn't start.

- added elogind
- still wouldn't start.

-tried it with lxdm. xorg and lxdm are running as root.

- added libpolkit-gobject-1-0-elogind and libpolkit-backend-1-0-elogind, which also pulled in libpam-elogind.
- startx works, and everything is running as user.

- tried it with lxdm again. xorg and lxdm run as root.
- tried it with lightdm. xorg and lightdm run as root.

Offline

#9 2018-03-17 20:41:57

fsmithred
Administrator
Registered: 2016-11-25
Posts: 2,486  

Re: xserver-xorg-legacy in ascii

- tried it again after removing the packages I installed. It stopped working.
- tried if after removing dbus. Didn't work.

- installed libpam-elogind, which pulled in elogind, dbus, and something else, but not the libpolkit libraries. It works again.

Offline

#10 2018-03-18 08:26:32

mmaglis
Member
From: Berlin - Germany
Registered: 2018-03-16
Posts: 32  

Re: xserver-xorg-legacy in ascii

I cannot recall in which order I have purged various packages.
I do know xserver-xorg-legacy was purged last.
I do not think the order is important though.

I startx from console as a normal user.
xinit and Xorg processes run with that normal user.
I have currently the below packages installed; no polkit, no logind, only libdbus:

- libpam0g
- libpam-runtime
- libpam-modules
- libpam-modules-bin
- xorg
- xserver-xorg
- xserver-xorg-core
- xserver-xorg-input-libinput
- xserver-xorg-input-void
- xserver-xorg-video-dummy
- xserver-xorg-video-intel
- xserver-xorg-video-vesa
- x11-xserver-utils
- xserver-common
- login
- eudev
- libdbus-1-3

My apt sources.list point to ASCII:

# Devuan repositories
deb https://pkgmaster.devuan.org/merged ascii main
deb https://pkgmaster.devuan.org/merged ascii-updates main
deb https://pkgmaster.devuan.org/merged ascii-security main
deb https://pkgmaster.devuan.org/merged ascii-backports main

Offline

#11 2018-05-01 12:05:50

devuser
Member
Registered: 2018-04-30
Posts: 176  

Re: xserver-xorg-legacy in ascii

Oh, so there is already a post concerning this mess. So i guess the best way to deal with this is to follow the steps fsmithred posted?

By the way there is this interesting snipped i stumbled upon at https://bugs.debian.org/cgi-bin/bugrepo … bug=814394

Julien Cristau on 2016/02/13 +0100 @11:30:30:
> > startx does not longer work after upgrade; `grep EE
> > Xorg.log' shows:
> >
> >    [  1463.840] (EE) systemd-logind: failed to get
> >    session: The name org.freedesktop.login1 was not
> >    provided by any .service files
>
> X requires logind ...

It's not supposed to, when using the X wrapper and
needs_root_rights=yes.  There used to be an upstream patch that
even allowed X to start without this, and skip the ioperm check
(it's not actually needed with KMS), which Debian dropped,
because I guess they want to require everyone to use systemd.

Offline

Board footer