You are not logged in.
I decided to try the Nouveau driver with the KMS functionality of the kernel.
Everything works well till now, after small adjustments.
Among other things, I noticed a different dpi value : (96, 96) instead of (89, 87)
but finally I prefer it, because the fonts look a little bigger.
The scrolling with the wheel mouse uses more cpu usage, but it's not a big issue.
I changed my screensaver choice for one less opengl resources greedy.
I don't use the kdm display manager anymore, but I chose presently the .bash_profile way, from the wiki, to launch openbox with startx in the tty1 at login there.
Because I wanted to run Xorg server as user, as it is one of the advantage of using KMS.
But I was a little disappointed to see from 'ps -ef' :
berbae 4309 4301 0 15:48 tty1 00:00:00 -bash
berbae 4338 4309 0 15:48 tty1 00:00:00 xinit /home/berbae/.xinitrc -- /etc/X11/xinit/xserverrc :0 -auth /tmp/serve
root 4339 4338 2 15:48 tty7 00:02:04 /usr/bin/X -nolisten tcp
berbae 4342 4338 0 15:48 tty1 00:00:00 ck-launch-session openbox-session
root 4344 1 0 15:48 ? 00:00:00 /usr/sbin/console-kit-daemon --no-daemon
berbae 4417 4342 0 15:48 tty1 00:00:00 /usr/bin/openbox
I found that it is because the setuid bit is used for the Xorg binary :
lrwxrwxrwx 1 root root 4 1 avril 19:29 /usr/bin/X -> Xorg
-rwsr-xr-x 1 root root 1858080 1 avril 19:29 /usr/bin/Xorg
So it seems that running Xorg with non root privileges is not possible with the official Arch packages.
Is this true or did I miss something ?
Is there a way to benefit from the possibility to run Xorg as a user, therefore with a greater security ?
Thanks for bringing me some more lights about that.
Offline
I presume you use this wiki http://wiki.archlinux.org/index.php/Start_X_at_boot
Have you tried the /etc/inittab method?
Eee PC 2G Surf (700)
Offline
Thanks for your post.
Yes I used the page "Start X at boot" from the wiki.
I don't think using the inittab method will change anything, as it only runs startx from another point, ie outside a ttyx.
The source of the problem is the setuid bit of the Xorg binary, which is part of the xorg-server package.
And that cannot be changed without changing the package.
Maybe I should file a feature request for a future release, as it is not a bug.
The setuid bit is required to use startx as a user without KMS, but with it enabled, the Xorg server doesn't need root privileges anymore.
So it should be possible to change that default setting for a better security level.
Apart from that, I don't regret the change from the nvidia proprietary driver, and I think I will stay with Nouveau and KMS from now on.
I didn't notice any serious problem until now
Offline
So, what would you do as a xorg pkg maintainer if you have to support KMS and non-KMS users?
Offline
You can chmod it on your own machine, while you're waiting for the devs' response to your feature request.
Offline
The setuid bit is required to use startx as a user without KMS, but with it enabled, the Xorg server doesn't need root privileges anymore.
It does. KMS just removed the need for root regarding the graphics card, but there's still other stuff in X that requires root. Interesting thing you apparently didn't know: the nvidia proprietary driver doesn't need root and hasn't for quite some time, all it needs is access to the /dev/nvidia* device nodes.
Offline
but there's still other stuff in X that requires root.
Can you precise what stuff or provide links to get infos about that ? Thanks.
From http://en.wikipedia.org/wiki/Mode-setting :
User-space mode-setting would have needed superuser privileges for direct hardware access. So kernel-based mode-setting increases security because the user-space graphics server does not need superuser privileges.
I understood that to mean the Xorg server could run without root privileges, and I read it elsewhere also.
Interesting thing you apparently didn't know:
I don't know everything yes, especially on proprietary things.
I don't say the nvidia driver is not good, as I used it for many years without problem.
But Nvidia doesn't support the KMS functionality of the kernel, apparently for a license problem. And they don't want to support the open source Nouveau driver project.
I wanted to benefit from the advantages of the new approach to set the modes of the graphic card by the kernel.
One of them is clearly to run the Xorg server with non root privileges.
But if it's not possible for other reasons, I will do with it.
I will appreciate it if you could provide infos sources about that.
Thanks.
Last edited by berbae (2010-04-30 13:27:18)
Offline
not all drivers are KMS capable and you can count them on the fingers from one hand compared with the number of drivers that we have in our repos.
Give what you have. To someone, it may be better than you dare to think.
Offline
After some searching I found that someone has partially succeeded to run Xorg server without the setuid bit on.
See the post from Link31 posted on Mon Apr 26, 2010 7:57 pm in this thread (last post at this time) :
http://forums.gentoo.org/viewtopic-t-81 … art-0.html
It is not as easy as running a chmod on the Xorg binary.
The Xorg code seems to need a patch as well as the kernel code.
And these code changes have to be tested and validated upstream for official integration.
Some rights have also to be changed to give read/write access to users.
From the Hopeless' post on Sun Feb 07, 2010 12:49 pm, in the same thread :
I can tell you it's not quite that simple, there are numerous things in the xorg server itself which need to be changed first to support this, some of this has already happened, but unfortunately it appears to have taken a back seat to all the other work going on in Xorg and the driver stack, even though there doesn't seem to be much more work involved...
I'd be really happy if it was at least a planned feature of xorg-server 1.8.
I don't know if that was done in the last xorg-server release in Testing now.
I will try to get this information.
So personally I prefer to wait for the official implementation of that feature from upstream future developments.
I will keep running the Xorg server with root privileges for now.
If I notice some issues with KMS enabled/Nouveau driver, I will post them here for informations.
Offline
See [wiki]Using_File_Capabilities_Instead_Of_Setuid#xorg-xserver[/wiki] This is for all setups, but maybe for KMS you need fewer capabilities. Maybe you don't need cap_sys_rawio. Play with it
Last edited by djgera (2010-05-01 15:37:34)
Offline