How to start x properly?

I prefer to boot into console, then start X with startx if/when required. I don’t use a display manager.

I’m struggling a bit getting this to work with SUSE though. I set RL to 3 in inittab, then boot into console, all ok so far. But I can’t startx when i need to; I get some error about the UID bit not being set on xorg?? The only way I can start X is ether as root user, or by setting the UID bit. This can’t be the proper way to go about this though!

So what is? startx, xinit and init 5 all only work as root user.

Thanks in advance

spoov

That is logical to me. Running X is a system level task, not an end-user level task. When the system manager has set the default runlevel to three, (s)he did so on purpose. The end-user is thus not able to change runlevel. This is build-in security. And of course other ways to circumvent this security (like running certain services as end-user) should also be blocked.
Of course you can brake this security by setting the SUID bit (as you can brake almost any security thing in Linux), but this is at your own risk (inlcuding the fact that that SUID bit will probably be removed on updates).

I can totally see your point about security, if your quote above were universally true. But to me, and many others too I am sure, it isn’t true. I use X as an end-user task, much like zypper or elinks. This seems to be stopping me from doing so altogether (unless I accept a giant security hole side-effect by setting suid bit). Is this really the intended behaviour?

Someone on a mailing list mentioned file_caps=1 boot option, but didn’t expand on it. Any ideas how this might help?

Thanks

spoov

You may be right, but I do not undderstand your comparison. I do not know elinks, but zypper is a CLI program like many others (ls, vi, sed, awk, sort, …). The only thing is that zypper when run by the end-user is “read-only” in that it will not (de)install anything (same as e.g. ifconfig).

Butto come back to your problem.
. It is clear to me that init is only to be run as root.
. I just did a test. I booted an 11.2 system in runlevel 3. I loged in on the console as an end-user. I entered startx and a GUI session for that end-user was started.

So it seems that on my system it works like you expects things to work and on your system it doesn’t.
This brings us to the task to find out why.

And about suid bits, it isn’t set:

ls -l $(which startx)
-rwxr-xr-x 1 root root 4921 Oct 24  2009 /usr/bin/startx

On my system:


% ls -l Xorg
-rws--x--x 1 root root 1999580 2010-08-19 10:36 Xorg

That’s how it was installed (and apparently updated, based on the date). Incidently, that’s in the “/usr/bin” directory.

I have probably misled you somewhat as i am running 11.4 RC1 (sorry still not fully up on the posting rules re different releases etc).

I believe from what I have read on the mailing lists that this is some kind of deliberate security measure (presumably new to 11.4?), to require root priviliges to run X.???

suid bit is not set for Xorg in Debian, RH, SUSE, or anywhere else as far as I know, but it is now required to set it yourself, manually if you want to run X from RL3/without display manager. Seems weird to me, and no-one seems to be willing or able to really explain it (re the file_caps=1 boot option).

I don’t want to seem too negative though;), i’m open to new ways of doing things, that’s why i’m trying openSUSE. I would like to understand it though.

11.4 is not released yet. People trying out / testing Pre-release/Beta software are supposed to go to the Pre-Release/Beta subforum.

BTW :

 ls -l $(which Xorg)
-rws--x--x 1 root root 1906712 sep 23 17:48 /usr/bin/Xorg
henk@boven:~>

but I am not oing to repeat my test with Xorg as I have proven that normal startx works here.

I will move this thread to Pre-Release/Beta. Please to everybody: do not post to it before it shows up there.

Movved to Pre-Release/Beta.

I hope people here can help to find out why this is not working while it was in earlier releases.

Hi
Because of the setuid changes…

https://features.opensuse.org/307254


Cheers Malcolm °¿° (Linux Counter #276890)
SUSE Linux Enterprise Desktop 11 (x86_64) Kernel 2.6.32.27-0.2-default
up 12:26, 5 users, load average: 0.05, 0.10, 0.08
GPU GeForce 8600 GTS Silent - Driver Version: 260.19.26

That link leads me to believe that POSIX file capabilities are now being used to partially elevate priviliges of Xorg. If this is the case, then why do I need to manually set the suid bit as well?

Or is it the other way around - has SUSE 11.4 removed previously implemented POSIX file capability control? This would seem to reflect the situation we are experiencing, but this would surely mean that SUSE has stepped away from the POSIX control method to a less secure method, which seems unlikely.

The situation is not clear to me from these links. Anyone care to explain properly (ie in more than one sentence) please?

On 2011-02-21 18:06, spoovy wrote:

> I believe from what I have read on the mailing lists that this is some
> kind of deliberate security measure (presumably new to 11.4?), to
> require root priviliges to run X.???

Yep.

> suid bit is not set for Xorg in Debian, RH, SUSE, or anywhere else as
> far as I know, but it is now required to set it yourself, manually if
> you want to run X from RL3/without display manager. Seems weird to me,
> and no-one seems to be willing or able to really explain it (re the
> file_caps=1 boot option).

They did. It is the new method, but it doesn’t affect X (yet?).


Cheers / Saludos,

Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)

You say that you don’t use a window manager, but do you have any installed?

If you do, you can use the command (as root)

rcxdm start

and X will start as normal user.

@ moderator : why is this message was split from this thread ? How to start x properly?

EDIT: I do not know. The original thread was moved fom Applications to Pre-Release/Beta. Something went wrong there. I merged the two threads. Hope that everything is OK now

Henk van Velden

On 2011-02-21 20:36, spoovy wrote:

> The situation is not clear to me from these links. Anyone care to
> explain properly (ie in more than one sentence) please?

They did in the mail list. Those people talking about it in there are devs
and mantainers, so they know. A different matter is whether they care to
explain.

Xorg does not use those posix caps (yet?) - that is what they said - thus
you still need set suid in oS.


Cheers / Saludos,

Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)

On 2011-02-21 18:36, hcvv wrote:

> I will move this thread to Pre-Release/Beta. Please to everybody: do
> not post to it before it shows up there.

You have to post the warning in the old thread, or us nntp people will
never see the warning in time.


Cheers / Saludos,

Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)

Here’s one from openSUSE 11.4 RC1


ls -l $(which startx)
-rwxr-xr-x 1 root root 5209 14 feb 18:16 /usr/bin/startx


On some other machines with 11.1, 11.2 and 11.3 it’s the same

>> - thus
you still need set suid in oS

I still need to set suid? I never had to set setuid until version 11.4!

Maybe if I ask for one word answers. Can anyone please fill in the questions below (Please, only reply if you actually know the answers. And please please no more pointless argumentative posts, I really don’t want to squabble with complete strangers) :

Did openSUSE have setuid bit set by default on Xorg in versions prior to version 11.4? =
Did openSUSE use file capabilities to elevate priviliges on Xorg in versions prior to version 11.4? =
Does openSUSE use file capabilities to elevate priviliges on Xorg in version 11.4 (RC1)? =

  • If not, Is it the intention to implement file capabilities on Xorg in version 11.4 at some point between now and the final 11.4 release date? =
    Is it the intention of the devs to use file capabilities on Xorg in future releases? =
  • If so, does this mean that it will be possible to run Xorg from RL3 as a regular user, without having to set the setuid bit or otherwise run Xorg with full root priviliges? =
  • if not, is it the intention to deliberately prevent this action altogether, for the reasons set out in post number 2 above (ie Xorg being a system process rather than user process)? =

Thanks in advance. PS I’m sure it seems that i’m being obnoxious here, but I promise you that I am not trying to be, I am only trying to get a straight answer.

The questions are highly technical and since is this is a user powered form I doubt that the developers, who would know, will see it. Best to ask on the mailing list. And no I don’t know which one, but a google may find it or someone here may know a good one.

On 2011-02-22 17:06, spoovy wrote:
>
>>> - thus
> you still need set suid in oS
>
> I still need to set suid? I never had to set setuid until version
> 11.4!

That is exactly what I said. There is a language barrier, it seems. Let me
try again: the new posix caps are not enough (now), so you also, now, need
to set uid. Now means 11.4 in this context, before means older versions.

> Maybe if I ask for one word answers. Can anyone please fill in the
> questions below (_Please,only_reply_if_you_actually_know_the_answers.
> And please please no more pointless argumentative posts, I really don’t
> want to squabble with complete strangers) :

Ok, then I shut up. I expect none here to know. Only Devs know, and Devs do
not use the forums.


Cheers / Saludos,

Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)