[HowTo] Rootless Graphical Session (rootless xorg, rootless wayland)

Contributions Tutorials
, , , ,
1

Difficulty: ★★☆☆☆

Rootless Graphical Sessions

In many cases the display server may be launched with root privileges.
To verify how Xorg is started you may use:
ps -o user= -C Xorg

This of course can be a security concern.
A somewhat contemporary, albeit far from exhaustive, example would be:

Launching xorg or wayland rootless will require different steps for different display managers.


GDM

GDM will automatically launch X or Wayland rootless if kernel mode setting is configured.


SDDM

Beginning with version 0.20.0 SDDM can launch the display server rootless.
SDDM requires configuration files for xorg and wayland respectively.

  • X11

    Edit /etc/sddm.conf.d/rootless-x11.conf

    [General]
DisplayServer=x11-user

  • Wayland

    Edit /etc/sddm.conf.d/rootless-wayland.conf

    [General]
DisplayServer=wayland
GreeterEnvironment=QT_WAYLAND_SHELL_INTEGRATION=layer-shell
[Wayland]
CompositorCommand="weston --shell=fullscreen-shell.so"

    NOTE: The default compositor string is contained here.
    In the case a different Wayland compositor to render SDDM is desired replace the CompositorCommand string with the relevant command and arguments.
    For KWin you may use:
    kwin_wayland --no-lockscreen --no-global-shortcuts


Additional Steps for Everyone

These configurations are for everyone.
They can be considered optional for users of Display Managers, and required for those without one.

  • xserverrc

    You may edit /etc/X11/xinit/xserverrc directly.
    But it is advisable to copy it to ~/.xserverrc.

    • Remove exec from the line if it exists to ensure startx is a subprocess of the login shell.
      Example:
      exec /usr/bin/X -nolisten tcp "$@"
      becomes
      /usr/bin/X -nolisten tcp "$@"

    • Use -keeptty to keep log redirection.
      When X is run rootless logs are directed to ~/.local/share/xorg/Xorg.log, but the stdout and stderr output from the Xorg session is not redirected there.
      Example:
      /usr/bin/X -nolisten tcp "$@"
      becomes
      /usr/bin/X -nolisten tcp "$@" -keeptty

    • Make sure that Xorg uses the correct virtual terminal for permissions, such as by vt$XDG_VTNR
      Example:
      /usr/bin/X -nolisten tcp "$@" -keeptty
      becomes
      /usr/bin/X -nolisten tcp "$@" -keeptty vt$XDG_VTNR

  • Proprietary graphics (nvidia)

    Kernel Mode Setting will fail unless the following is set in /etc/X11/Xwrapper.config:
    needs_root_rights=no
    NOTE: The following was previously reported to sometimes be required. Retained for posterity.
    allowed_users=anybody


LightDM

Sorry lightdm users, there is currently no way to launch your display server rootless from lightdm.
A bug thread can be found here: Support non-root X · Issue #18 · canonical/lightdm · GitHub :cry:


Final Notes

  • I use KDE,SDDM,X11 - all else is provided only for testing.
    There may be dragons. There may not.

  • In the case of SDDM (possibly others) there existed a sometimes-bug resulting in the display handoff not always working as expected. In these cases the user must simply manually switch seats, such as by using Ctrl+Alt+F#

  • This will be marked a wiki post.
    So consider it an evolving work in progress as things change and feel free to correct or fill it out.


9 Likes
2

kudos to you, for a very timely guide now that sddm supports this on X11. will be joining the bandwagon, hopefully in the weekend.

3

Thank you for this info - very, very useful :slight_smile:

4

One important note to this how-to is that it doesn’t work on laptops with optimus-manager enabled, SDDM simply won’t start. So in order to have rootless Xorg one needs first to to stop and disable optimus-manager.service and remove /etc/sddm.conf.d/20-optimus-manager.conf configuration file. Or just remove optimus-manager package at all, if you’re going to stick to rootless Xorg from now on.

5

Like many things :sweat_smile:

1 Like
6

I’m on SDDM + KDE + X11 and all seems good so far after enabling this. Apart from the SDDM display handoff bug are there any other potential issues to be aware of when running rootless? If not then this seems like a complete no-brainer with regards to security.

7

Thats the only thing I have noticed after running it for a while.
There may be the odd thing that assumes root.
Apparently the much maligned optimus-manager is one.
(let us know if you hit something else)

8

This seems to be gone since 0.20.0-2 :slight_smile: