# Previlige state of Xorg and Urxvt



## museur (May 12, 2020)

I'm not sure if this is an issue for security but I was wondering if is it possible to run urxvt and/or xorg as an unpreviliged user that isn't root.

Starting urxvt opens an another instance by root killing of which effects nothing at all.


----------



## Sevendogsbsd (May 12, 2020)

Of course, you should not be running xorg or a graphical session as root anyway. How are you running them now? Have you created an unprivileged user?


----------



## museur (May 12, 2020)

I'm either using xinit or startx after logging in as normal user. I check them from htop and they are seem to be running in root.


----------



## SirDice (May 12, 2020)

Xorg(1) itself needs to run as root, but `startx` should be run as a normal user. Various display managers are also started on the root account because they start Xorg. The reason you don't need root for `startx` is because it's started through /usr/local/bin/Xorg.wrap which is setuid(1) root.


----------



## Sevendogsbsd (May 12, 2020)

Interesting. Not sure why that would happen. I invoke `startx` as an unprivileged user and never noticed it running as root. I wouldn't think this could happen because `sudo` wasn't used. 

Are you using a display manager (xdm, sddm, gdm, lightdm)?


----------



## xtremae (May 12, 2020)

Sevendogsbsd said:


> Interesting. Not sure why that would happen. I invoke  startx as an unprivileged user


If the target binary (X) is setuid, and in this case it is, the binary will run with the permissions of the owner which is the root user. If you unset the setuid bit from the binary (X) and invoke it as a regular user it will fail to initialize.

Normally, to run the server itself as an unprivileged user you need session management in the form of (e)logind that tracks authenticated logins and grants the required permissions.


----------



## museur (May 12, 2020)

Sevendogsbsd said:


> Interesting. Not sure why that would happen. I invoke `startx` as an unprivileged user and never noticed it running as root. I wouldn't think this could happen because `sudo` wasn't used.
> 
> Are you using a display manager (xdm, sddm, gdm, lightdm)?



No I login in in vt/terminal and invoke xorg trought there.



xtremae said:


> If the target binary (X) is setuid, and in this case it is, the binary will run with the permissions of the owner which is the root user. If you unset the setuid bit from the binary (X) and invoke it as a regular user it will fail to initialize.
> 
> Normally, to run the server itself as an unprivileged user you need session management in the form of (e)logind that tracks authenticated logins and grants the required permissions.



So it is expected to run as root in default install? What about URxvt?


----------



## xtremae (May 12, 2020)

museur said:


> So it is expected to run as root in default install?


Yes.



museur said:


> What about URxvt?


Xorg clients (GUIs) including urxvt should run as your own (unprivileged) user.


----------



## museur (May 12, 2020)

xtremae said:


> Yes.
> 
> 
> Xorg clients (GUIs) including urxvt should run as your own (unprivileged) user.



Anyway I start urxvt, either from dmenu or sxhkd or trough xterm either diractly or as a daemon it is starting two instances, one root and another as "user"; I didn't tinker with it anyway.


----------

