Run X as a regular user

Registered by Chris Halse Rogers on 2010-04-12

* What changes do we need to drop root privs from X in Maverick?
* Should we switch to rootless-X for Maverick?
* What testing can we do to be confident in our decision?

Blueprint information

Status:
Not started
Approver:
Sebastien Bacher
Priority:
Low
Drafter:
Chris Halse Rogers
Direction:
Needs approval
Assignee:
Chris Halse Rogers
Definition:
Approved
Series goal:
Accepted for quantal
Implementation:
Deferred
Milestone target:
milestone icon ubuntu-12.10

Related branches

Sprints

Whiteboard

bryce 2010-05-07: I've gathered the ideas/requirements that have come up in the past here:

  https://wiki.ubuntu.com/X/Rootless

A key point is that X shouldn't run as the logged in user, but rather as a non-root service type user. See the wiki page for details.

raof, 2010-06-22: In regular use on my system:
Intel, Radeon & Nouveau will write to
/dev/fb0
/dev/vga_arbiter
/dev/dri/card0
/sys/class/backlight/acpi_video0/brightness
/dev/input/event*
/proc/mtrr
/dev/tty*

raof, 2010-06-29: Upstream wonders why we need a /dev/backlight. They suggest that ConsoleKit could handle setting permissions for /sys/class/backlight. I need to work out why we decided ConsoleKit wouldn't work, and if that reasoning is still sound.
raof, 2010-07-16: There doesn't seem to be any reason why a run-seat ConsoleKit script can't be used for what we want. Updating the work items to match this.
raof, 2010-07-22: After talking with pitti, there's actually no reason to require a ConsoleKit script, X can just chown the relevant files before dropping privs.

pitti, 2011-07-22: Is this actually desired for oneiric, or in general still? It gets a bit tight to get that into oneiric, so perhaps we should move this to the q cycle (post-LTS)?

bryce, 2011-07-22: Makes sense; there haven't been any stakeholders for this feature since before lucid.

(?)

Work Items

Work items:
[raof] Set up a new system user for X process (xdaemon): POSTPONED
[raof] Better generalized -nohw patch so xserver detects it automatically: POSTPONED
[raof] Talk to Jesse/upstream to see what interface is sane for /dev/backlight: DONE
[raof] Talk with Michael Frey (and tseliot) about how OEM team has approached rootless X: DONE
[raof] Check X doesn't write anything (else) to /sys or /proc: DONE