[cap-talk] "Security Issues related to Pentium System Management Mode"

John Carlson john.carlson3 at sbcglobal.net
Fri May 5 01:37:37 EDT 2006 

Actually,  I think that the X11 Server doesn't require super user  
privileges to run,
it's xdm, kdm, and gdm that require root so that the user account can  
be set properly
If you don't start xdm, kdm or gdm, and use startx or xinit instead,  
I'm fairly sure
any user can run X11 server (although my linux machine has it setuid  
to root).
I don't think that X11 runs as super user under Windows either  
(cygwin--I could
be wrong here).  At least that's my experience.   I am more familiar  
with X11
on SunOS [ pre the Solaris crapola ] though.   I think that thinking  
that X11
requires root is sort of like thinking that you need root to do  
printing, which
was probably true for many UNIX systems, even though I recall being able
to cat to the printer, since it was a tty, also, I've
catted postscript to a telnet session and gotten things to print  
easily.  Also X11
listens on a port > 1023, so that requirement is not in X11 either.    
There was
a requirement to run XConsole as root so you could grab the console
output.  It was kind of annoying to see console text spewed to your  
X11 session.

It may be worth turning off setuid on the X Server to see how far you  
get.
Maybe there is something on pentium that requires it?

If you put the window system in kernel space, like systems like  
SunView and
SunTools did, you're adding a lot of code to the kernel, which makes  
it even
more vunerable to attack.

Now I'm getting confused by Jed's message.  Do you mean that the new
virtualization technology soon to be offered by Intel has a bug it  
in?  Or
things like vmware and qemu?

What about macosx on intel?

I can see wanting to protect your video display hardware, so that people
couldn't take snapshots of what appeared on your screen.  Perhaps this
is why X runs at root now.  I thought Linux was moving away from devices
in the file system though.  Also, xdm, gdm, and kdm could set the device
appropriately for the user, so someone can't look at the user's X  
session.  When
you exit X, the device permissions would revert to what gdm and friends
want them to be.

Sorry, I am just adding to the confusion.  Running X11 as setuid root  
is new
to me.

John

More information about the cap-talk mailing list