- This topic has 6 replies, 4 voices, and was last updated Feb 7-2:53 pm by dolphin_oracle.
-
Posts
-
sybok
Hi, I noticed a post on Devuan forum (which I occasionally check) with a link to Phoronix about this issue https://www.phoronix.com/news/X.Org-Server-CVE-2023-0494 .
Which makes me ask:
1) Does antiX’s X run as root?
2) If yes, would changing it (e.g. as suggested in the post or other) be possible?Regarding 1), running ‘ps -ef | grep X’ outputs:
root 2070 2053 1 11:41 tty7 00:00:18 /usr/lib/xorg/Xorg -nolisten tcp -background none -auth /var/run/slim.auth vt07
Hence it seems to run as root.
anticapitalista
slim/slimski run X as root.
startx should run X as user.
Apparently,gdm or whatever it is called now, starts X as user,Philosophers have interpreted the world in many ways; the point is to change it.
antiX with runit - leaner and meaner.
sybok
Pardon my lack of understanding.
SLiM(ski), naively interpreted by me as “also the login screen”, runs X as root (‘ps -ef | grep -i slim’ easily verifies it; hm, I could have thought of that sooner).Just curious, would it be easily possible to switch it to a dedicated user, as is the GDM’s way?
Is the graphical session (of a user and entered/managed through SLiM(ski)) itself run with a user privilege X’s then?
Or “is it” the same X run as root?The post at Devuan forum (by Head_on_a_Stick) mentions using ‘startx’ (which according to its man-pages is a frontend for ‘xinit’) as an alternative to run X as a user.
I interpret the text and code as follows: that one boots into a terminal TTY1 and when the user logs in, the X is started, i.e. no “fancy” login screen (by slim(ski)) but shell prompt instead.
Using it instead of slim(ski) would result into a feature loss (switching desktops via F1 before logging in).Robin
Sorry for my ignorance about all the backgrounds, but when reading the second link from syboks entrance posting above and following the links therein it looks to me that there exists a tiny patch which fixes the complete issue. So my question is: Couldn’t the four lines get added to all the nosystemd versions antiX provides? Or are there no special versions used but the default versions from debian? I’m a bit puzzled, since xorg doesn’t seem to be installed in antiX at all:
$ apt-cache policy xorg xorg: Installiert: (keine) Installationskandidat: 1:7.7+22 Versionstabelle: 1:7.7+22 500 500 http://ftp.de.debian.org/debian bullseye/main amd64 PackagesWhile it clearly shows up when asking for its version.
$ Xorg -version X.Org X Server 1.20.11 X Protocol Version 11, Revision 0 Build Operating System: linux Debian Current Operating System: Linux antix1 5.10.142-antix.2-amd64-smp #1 SMP PREEMPT Fri Sep 9 21:15:01 EEST 2022 x86_64 Kernel command line: lang=de_DE quiet splasht disable=lxF Build Date: 10 November 2021 11:00:13AM xorg-server 2:1.20.11-1.0nosystemd1 (https://www.debian.org/support) Current version of pixman: 0.40.0 Before reporting problems, check http://wiki.x.org to make sure that you have the latest version.So, from the link mentioned above it seems to be clear antiX is vulnerable, and it either needs to get the patch in all the Xorg versions used, or it needs to get upgraded to 21.1.7, since the vulnerability has been disclosed now: „As a result of today’s security disclosure, X.Org Server 21.1.7 has been released with this fix.”
Windows is like a submarine. Open a window and serious problems will start.
sybok
@robin:
1) Patching in antiX:
I expect that once Debian patches their X.Org, then it would be possible to repack the corresponding package without systemd dependencies in antiX.
Maintaining and packing such a large code independently from Debian would be much daunting undertaking (unless volunteers become available).BTW, Debian often implements recent security patches into older versions of packages if these are the most recent available in the (old)stable system.
2) X.Org (not) installed:
Search for e.g. ‘xorg-server-source’ instead of ‘xorg’.
X.Org is a collection of different modules/libraries/binaries that are continuously developed and sometimes a new version of X.Org comprised of these individual components is released.Many thanks, sybok. Meanwhile I found it also, it comes from xserver-xorg-core, not from xserver-xorg-source:
$ which Xorg /usr/bin/Xorg $ dpkg-query -S '/usr/bin/Xorg' xserver-xorg-core: /usr/bin/Xorg $ apt-cache policy xserver-xorg-core xserver-xorg-core: Installiert: 2:1.20.11-1.0nosystemd1 Installationskandidat: 2:1.20.11-1.0nosystemd1 Versionstabelle: *** 2:1.20.11-1.0nosystemd1 500 500 http://ftp.halifax.rwth-aachen.de/mxlinux/packages/antix/bullseye bullseye/nosystemd amd64 Packages 100 /var/lib/dpkg/status 2:1.20.11-1+deb11u4 500 500 http://security.debian.org bullseye-security/main amd64 Packages 2:1.20.11-1+deb11u3 500Seems the very package comes from mxlinux, so we’ll have to wait until they provide a security patched version the one or other way. Hopefully this will come soon, since the vulnerability was disclosed today and surely we’ll see it getting exploited very soon.
I wonder whether the version available from bullseye-security would contain the patch already, and how to know when it reaches finally the nosystemd version antiX uses…
Windows is like a submarine. Open a window and serious problems will start.
dolphin_oracle
@Robin. The xserver-xorg-core package is antiX. most of the mirrors sync antiX packages from a mxlinux server, so that’s why you see mxlinux in the web address. note the folder is …/antix/bullseye.
- This reply was modified 3 months ago by dolphin_oracle.
- You must be logged in to reply to this topic.
