This is Gentoo's testing wiki. It is a non-operational environment and its textual content is outdated.
Please visit our production wiki at https://wiki.gentoo.org
Non root Xorg
This guide details running X server under user account.
This has been successfully tested using Nouveau and Intel drivers
Additional prerequisites
Some of this support is relatively recent, and it may be necessary to install unstable packages. If it fails to work with stable, keywording certain packages may be necessary.
/etc/portage/package.keywordsx11-base/xorg-server x11-base/xorg-drivers x11-drivers/xf86-input-keyboard x11-drivers/xf86-input-mouse x11-drivers/xf86-input-evdev # Select from the following based on your video hardware, both may be needed for multi-GPU systems. x11-drivers/xf86-video-nouveau x11-drivers/xf86-video-intel
Rebuilding Xorg
Disable suid USE flag:
/etc/portage/package.usex11-base/xorg-server -suid
Rebuild Xorg:
root #emerge --update --deep --newuse --verbose --ask x11-base/xorg-serverMaking necessary changes to system
Now you can run X as user, however because none of login managers are currently capable of doing necessary permission handling it needs some workarounds. In particular, X run by user needs to be able to access /dev/input files and it needs to be started directly as the user. Additionally, as with using direct rendering, the unprivileged user also needs access to the video hardware, typically achieved by adding them to the video group (though certain login managers, such as ConsoleKit or systemd-logind may handle this for you).
To access /dev/input files it's easiest to add them to group and allow user to access them.
The input group and udev rules may already exist on many Gentoo systems. If they exist for you, you may skip the steps before adding your user to the necessary groups.
root #groupadd inputCreate udev rule to change /dev/input group on boot:
/etc/udev/rules.d/99-dev-input-group.rulesSUBSYSTEM=="input", ACTION=="add", GROUP="input"
Reload udev rules to get the new permissions
This may interfere with your input devices on the current
vtyroot #/etc/init.d/udev reloadAnd finally, add your user to the necessary groups:
root #usermod -a -G input,video userLog out and log back in (for the permissions changes to take effect), and then start X by running:
user $startx -- vt1If logged on tty1 use vt1, on tty2 use vt2, and so on.
X should now be running as an unprivileged user.
Security concerns
Running X as a normal user is generally a positive step for security, with the exception of multiuser or, especially, multiseat systems. With the direct access to input devices by the user, it becomes trivially possible to snoop on the input of another active user or run a background job to snoop on the input of a future user of the system. For such systems, it's likely better to choose a solution other than running X as the logged-in user (such as using setuid with a dedicated, unprivileged user or using setgid for the input group).
Alternative method
In this section we will detail "setgid" mentioned above.
The objective is to run X as an unprivileged user without adding a user to the input group. This can prevent user from accidentally or intentionally snooping on the input.
To achieve this goal we make use of setgid so that when a user starts X, the X server will be automatically granted permission to access input devices.
Change the ownership of /usr/bin/Xorg:
root #chown -v :input /usr/bin/XorgChange the file permission of /usr/bin/Xorg:
root #chmod -v g+s /usr/bin/XorgNow your user is not required to be in the input group to run X server. To remove your user from input group:
root #gpasswd -d user inputBut your user still needs to be in the video group:
root #usermod -a -G video userNow start X as a regular user (see above) and X server should function well.