Better rootless X.Org recommendations?

[James-E-A]

Looking at Pull #41 (and d7c71d2 specifically), I see that the solution recommended involves allowing any user "allowed" to use X full access to the TTYs as well as input devices.

This means that, on a multi-user system, you have to give all GUI users a pretty severe amount of trust, that they don't set a daemon or anything to snoop on input devices, or even spoof someone who's trying to use a physical TTY.

Now, obviously, most of the situations like this are pretty obscure. Most users on the same system trust each other!

But doesn't Xorg itself have some kind of features built-in, where it can be used with setuid and security implications are already, intentionally considered?

For instance, on my machine, just

chgrp -v users /usr/bin/Xorg
chmod -v 4754 /usr/bin/Xorg

Allows anyone in the users group to use startx or xinit, and is presumably mediated by code within X.Org (and also has the added benefit of being persistent across reboots without worrying about startup files)

[thopiekar]

Well, could be that the upstream package of the xserver comes with new systemd rules or whatever. What I would worry about more is to get EMGD and all its dependencies working again for newer Linux kernels and distributions. Compared to the needed patches, which might be needed for the DRM code, this is only a nit pick. But feel free to fix that. The solution is most likely on the latest packages, I guess.