OpenBSD Journal

Xorg can now run without privilege on OpenBSD

Contributed by jj on from the you-are-surrounded-drop-your-privs dept.

Matthieu Herrb summarizes:
In OpenBSD-current, after this commit users of Intel and ATI Radeon graphics which support kernel mode setting (almost all of them) can set machdep.allowaperture back to 0 in the /etc/sysctl.conf configuration and still run the X server.
This means that the X server requires no special privilege to access kernel memory or I/O devices directly, and, thanks to the privilege separation code, that most of the code in the X server will also not run as root.

Keeping this special direct access to the hardware through the aperture driver was one of the major drawbacks of privelege separation in X, as pointed out by a paper by Loic Duflot at CANSECWEST 2006.

Note that the warning about CheckDevMem failing to open /dev/xf86 and /dev/mem can be safely ignored.

(Comments are closed)


  1. By Anonymous Coward () on

    An incredible milestone. Thanks for all the hard work!

  2. By Anonymous Coward () on

    Will there be a test or some such in the installer that will know whether this flag now has to be tweaked?

    Or does this change mean we have reached the point where the installer no longer has to ask if we're going to run X?

    1. By Amit Kulkarni (amitkulz) on

      > Will there be a test or some such in the installer that will know whether this flag now has to be tweaked?
      >
      > Or does this change mean we have reached the point where the installer no longer has to ask if we're going to run X?

      hopefully. I did as recommended and it just works!

      Thanks a ton.

    2. By Noryungi (noryungi) on

      > Or does this change mean we have reached the point where the installer no longer has to ask if we're going to run X?

      Hmmm... The way I understand this article is that (a) the installer will still ask the question about running X and set the aperture to 2 but (b) after installation is complete, if your video card is supported, you will be able to reset the aperture to 0 and enjoy the security goodness.

      If a dev reading this can correct or confirm what I just wrote, it would be greatly appreciated.

      1. By Anonymous Coward () on

        > > Or does this change mean we have reached the point where the installer no longer has to ask if we're going to run X?
        >
        > Hmmm... The way I understand this article is that (a) the installer will still ask the question about running X and set the aperture to 2 but (b) after installation is complete, if your video card is supported, you will be able to reset the aperture to 0 and enjoy the security goodness.
        >
        > If a dev reading this can correct or confirm what I just wrote, it would be greatly appreciated.

        Correct, at the moment, it requires this manual step.

        We hope to make this entirely automatic by the 5.6 release...


  3. By Chris Cappuccio (chriscappuccio) chris@nmedia.net on http://www.nmedia.net/chris/

    In other words, allowaperture could have been 0 for DRM-using folks ever since it was committed. Except for damn libpciaccess! Damn you libcrap.

  4. By Srikant () on

    Thanks a million! Hopefully other prominent OSes will learn from OpenBSD soon and start really caring about security.

    Most of the times, when I learn about a particular class of vulnerability via some conference video, OpenBSD is already safe : NTP Reflection DDoS, LD_PRELOAD, X.org priv sep and so many others.

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]