Solved xf86OpenConsole: Server must be suid root

free-and-bsd

Aspiring Daemon

Reaction score: 145
Messages: 923

Funny, stupid, whatever... I have this error on one of my machines and cannot figure out what the matter is.

It's a standard installation with most recent packages, Xorg.wrap is in place all right (part of the package).
Code:
lrwxr-xr-x  1 root  wheel  9 May  5 16:48 /usr/local/bin/X -> Xorg.wrap
-r-sr-xr-x  1 root  wheel  8968 May  5 16:48 /usr/local/bin/Xorg.wrap

What else?... Package xorg-server is built with SUID=on.
The funny thing is, even using Xorg.wrap config with explicit directive to start X with root privs for any user logged in console doesn't change that a bit.

I normally use startx to start X from console (regular user) on my machines. My .xinitrc says (among other things): exec fvwm.
Works fine on all my machines except this one.
What could be the matter?
I had to make /usr/local/bin/Xorg suid root as a temporary solution. But I'd rather use the standard way of doing it.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 11,625
Messages: 37,969

Only Xorg.wrap should need that SUID bit:
Code:
% ll /usr/local/bin/Xorg.wrap
-r-sr-xr-x  1 root  wheel  8968 Apr 16 19:58 /usr/local/bin/Xorg.wrap*

Can you have a look in /usr/local/bin/startx? It should have a line like this somewhere at the top:
Code:
defaultserver=/usr/local/bin/X
 
OP
F

free-and-bsd

Aspiring Daemon

Reaction score: 145
Messages: 923

Only Xorg.wrap should need that SUID bit:
Code:
% ll /usr/local/bin/Xorg.wrap
-r-sr-xr-x  1 root  wheel  8968 Apr 16 19:58 /usr/local/bin/Xorg.wrap*

Can you have a look in /usr/local/bin/startx? It should have a line like this somewhere at the top:
Code:
defaultserver=/usr/local/bin/X
Yes, it does have this line. All looks fine there, so I don't know what to think...
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 11,625
Messages: 37,969

Can you post your /var/log/Xorg.0.log after an attempt?
cat /var/log/Xorg.0.log | nc termbin.com 9999
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 11,625
Messages: 37,969

Can't see a whole lot of problems, it's complaining about a few fonts but that shouldn't prevent it from starting properly.

This one sticks out a bit:
Code:
 Failed to open authorization file "/home/kostya/.serverauth.38561": No such file or directory
But that's more or less expected if Xorg fails to start, then it won't clean up those .serverauth.* files. Before running startx see if removing them helps (unlikely but they shouldn't be left over).
 

covacat

Well-Known Member

Reaction score: 171
Messages: 367

Code:
#!/bin/sh
echo "$*" >/tmp/xinit.log
set >> /tmp/xinit.log
rename the original xinit and replace it with this
startx
investigate /tmp/xinit.log
 
OP
F

free-and-bsd

Aspiring Daemon

Reaction score: 145
Messages: 923

Code:
#!/bin/sh
echo "$*" >/tmp/xinit.log
set >> /tmp/xinit.log
rename the original xinit and replace it with this
startx
investigate /tmp/xinit.log
Nothing there which I didn't know before. But thank you anyway.
It keeps complaining though about auth not found. But then it does the same on other machines where startx by unpriv user works find.
 
OP
F

free-and-bsd

Aspiring Daemon

Reaction score: 145
Messages: 923

OK, this was caused by my ~/.xserverrc containing the line
Code:
exec Xorg -listen tcp "$@"
Once removed, things work as they should.
It was some time ago I tried to implement remote connection to Xorg in my private network environment, but then was distracted and forgot about that stuff...

BTW, since I've mentioned that... can anyone point me to any working HOWTO on the subject? I don't seem to find any WORKING solution. Always wanted to try this but never had the time to test...
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 11,625
Messages: 37,969

Xorg should accept local connections, you typically use SSH with X-forwarding to have some kind of protection when starting X applications remotely. XDMCP should be left in the past, it's a horridly insecure way. If you want a remote desktop style connection then you should look into net/xrdp. Still horrid, certainly not as good as RDP to a Windows machine but it'll work.
 

mer

Well-Known Member

Reaction score: 191
Messages: 333

I've used the ssh with x forwarding successfully. If I'm going to a specific machine alot, say a work machine to build, I typically set things in $HOME/.ssh/config:
Code:
host workthing
  hostname 192.168.1.1
  user workuser
  ForwardX11Trusted "yes"
  ForwardX11 "yes"
  Compression "yes"

You can try by adding either -X or -Y to the ssh command.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 11,625
Messages: 37,969

Note that for X-forwarding you don't need to have a functional Xorg on the host or even have it installed. The X server runs on the client in that case.
 
OP
F

free-and-bsd

Aspiring Daemon

Reaction score: 145
Messages: 923

Note that for X-forwarding you don't need to have a functional Xorg on the host or even have it installed. The X server runs on the client in that case.
That has been the most confusing part for me. For one thing, the command -listen tcp only makes sense on a machine running X server (since this is a X-server setting isn't it). So, you need a "server" to run an x-app. But according to this functionality, the "app" need not necessarily be on the same computer with the server. So much I gather from the naming.
 
OP
F

free-and-bsd

Aspiring Daemon

Reaction score: 145
Messages: 923

For the rest of it, I never had enough time to put it all together in my head :) But since this feature exists, I wanted to test this.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 11,625
Messages: 37,969

That has been the most confusing part for me.
The confusing part is that it's apparently reversed compared to "normal" network services. With X the GUI application is the client, it connects to the X server. The X server is the part that actually draws the graphics on the screen (really simplified explanation). With X-forwarding that part is running on the "client", so you need to have an X server running locally. The "remote" application (xclock for example) runs on the host but it connects, through the X-forward, back to the "client" and the X server that's running on the "client" does the actual drawing of the GUI.
 
Top