Previlige state of Xorg and Urxvt

I'm not sure if this is an issue for security but I was wondering if is it possible to run urxvt and/or xorg as an unpreviliged user that isn't root.

Starting urxvt opens an another instance by root killing of which effects nothing at all.
 
Of course, you should not be running xorg or a graphical session as root anyway. How are you running them now? Have you created an unprivileged user?
 
I'm either using xinit or startx after logging in as normal user. I check them from htop and they are seem to be running in root.
 
Xorg(1) itself needs to run as root, but startx should be run as a normal user. Various display managers are also started on the root account because they start Xorg. The reason you don't need root for startx is because it's started through /usr/local/bin/Xorg.wrap which is setuid(1) root.
 
Interesting. Not sure why that would happen. I invoke startx as an unprivileged user and never noticed it running as root. I wouldn't think this could happen because sudo wasn't used.

Are you using a display manager (xdm, sddm, gdm, lightdm)?
 
Interesting. Not sure why that would happen. I invoke startx as an unprivileged user
If the target binary (X) is setuid, and in this case it is, the binary will run with the permissions of the owner which is the root user. If you unset the setuid bit from the binary (X) and invoke it as a regular user it will fail to initialize.

Normally, to run the server itself as an unprivileged user you need session management in the form of (e)logind that tracks authenticated logins and grants the required permissions.
 
Interesting. Not sure why that would happen. I invoke startx as an unprivileged user and never noticed it running as root. I wouldn't think this could happen because sudo wasn't used.

Are you using a display manager (xdm, sddm, gdm, lightdm)?

No I login in in vt/terminal and invoke xorg trought there.

If the target binary (X) is setuid, and in this case it is, the binary will run with the permissions of the owner which is the root user. If you unset the setuid bit from the binary (X) and invoke it as a regular user it will fail to initialize.

Normally, to run the server itself as an unprivileged user you need session management in the form of (e)logind that tracks authenticated logins and grants the required permissions.

So it is expected to run as root in default install? What about URxvt?
 
Yes.


Xorg clients (GUIs) including urxvt should run as your own (unprivileged) user.

Anyway I start urxvt, either from dmenu or sxhkd or trough xterm either diractly or as a daemon it is starting two instances, one root and another as "user"; I didn't tinker with it anyway.
 
Back
Top