Bug 789867 – XAUTHORITY not configured for Xwayland

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 789867 - XAUTHORITY not configured for Xwayland


Summary:	XAUTHORITY not configured for Xwayland


Status:	RESOLVED OBSOLETE

Product:	gdm
Classification:	Core
Component:	general
Version:	3.26.x
Hardware:	Other Linux

Importance:	Normal normal
Target Milestone:	---
Assigned To:	GDM maintainers
QA Contact:	GDM maintainers

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2017-11-03 14:56 UTC by Phillip Susi
Modified:	2018-05-24 11:42 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description Phillip Susi 2017-11-03 14:56:50 UTC

The man page for gdm3 states that it creates an XAUTHORITY file in /var/run/gdm3 and sets the environment to point to it.  It fails to do so when running Xwayland.  Instead, Xwayland is apparently configured to allow connections from any process run by the same UID, without the need for a magic cookie.

This prevents users from running applications as root, and exposes the ability to interfere with one X session from a completely different session on a different head or cron job or some such as long as it uses the same UID.  This is not desirable either.

Please restore the proper xauthority configuration under wayland.

Comment 1 Dave Stroud Sr. 2017-11-03 18:38:27 UTC

This is a game changer.please fix.

Comment 2 Ray Strode [halfline] 2017-11-03 18:51:46 UTC

related downstream fedora report:

https://bugzilla.redhat.com/show_bug.cgi?id=1274451

I don't think we want to allow root by default for X apps using Xwayland if we don't allow root by default for wayland native apps.  we should be consistent between the two.

Comment 3 Jonas Ådahl 2017-11-04 05:03:46 UTC

(In reply to Ray Strode [halfline] from comment #2)
> related downstream fedora report:
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=1274451
> 
> I don't think we want to allow root by default for X apps using Xwayland if
> we don't allow root by default for wayland native apps.  we should be
> consistent between the two.

Agreed. For Wayland, we don't allow/deny it actively though, it's just sudo (or whatever version of) that doesn't preserve the needed environment variables. For example "sudo -E gui-app" will make Wayland clients running as root able to connect. Use on your own risk though, as it makes sudo preserve the environment variables (for example $HOME, if one does not also pass -H).

Related: https://bugs.freedesktop.org/show_bug.cgi?id=99371

Comment 4 Dave Stroud Sr. 2017-11-06 21:05:19 UTC

(In reply to Ray Strode [halfline] from comment #2)
> related downstream fedora report:
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=1274451
> 
> I don't think we want to allow root by default for X apps using Xwayland if
> we don't allow root by default for wayland native apps.  we should be
> consistent between the two.

 Its ok to run apt and update manager as root but not ok to run synaptic package manager as root? That makes no sense at all.

Comment 5 GNOME Infrastructure Team 2018-05-24 11:42:27 UTC

-- GitLab Migration Automatic Message --

This bug has been migrated to GNOME's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.gnome.org/GNOME/gdm/issues/342.