For all you security conscious people


You mean “obsessed”? :wink:

1 Like

LOL yes, I was trying to be polite :smiley:


I’ll say nothing more, to avoid saying a word too much. :wink:

1 Like

Ouch! :laughing:

1 Like

Thx for that link @Dobbie03 , bookmarked for future use.

Nice guide, thanks for the link.

Debian testing/unstable has a hardening-runtime package that applies most of the sysctl & kernel command line settings automatically but the guide missed a couple of important kernel parameters:

kaslr nosmt

These enable kernel address space randomisation and disable symmetric multiprocessing (hyperthreads), both of which offer significant protections albeit at some performance cost.

The advantages of so-called “open source” hardware are over-played (IMO) because the CPU microarchitecture is closed and most motherboard controllers for things like hard drives are so complex that they can be pwned to subvert the system[1] and the firmware is proprietary.

And of course Linux itself is not particularly security-focused and the kernel developers have shown a marked lack of interest in such issues — I wouldn’t dream of doing my internet banking with a Linux system, OpenBSD would always be my preferred option for important stuff like that.

Disclaimer: I am obsessed :grin:

Thx for sharing @Head_on_a_Stick , will be handy for my BL installs.

Interesting website, thanks a lot for sharing.

edit: for those of you interested, I just applied most of the suggestions of the website linked by dobbie and everything is still working after some testing. The only thing I noticed is that in section 16.2 (disable the systemd core dumps) the website mentions /etc/systemd/coredump.conf.d/custom.conf whereas /etc/systemd/custom.conf does already exist and you can simply edit that file. Thanks again for sharing!

edit: Actually, I am running into issues running Xorg as non-root.
@natemaia @Dobbie03 : Can you give me a hint why Xwrapper.conf in /etc/X11 with needs_root_rights = no is ignored? Could it have anything to do with how AL starts Xorg?

ps -o uid,comm -A | grep X says it’s still run as root.

what is this?

ps -o uid, comm -A \ grep X

^ Its garbage in my terminal.
Im using Nvidia for now so that might be why.

Try this: ps -o uid,comm -A | grep X

Ok thats better, mine says “1000 Xorg” and i have used this modification.

Mhm, that’s interesting. What wm are you using / how are you starting your Xorg?

Openbox and starting via xinitrc

It’s supposed to be Xwrapper.config not .conf, see

man xorg.wrap

also here
specifically the bit about kernel mode setting. Also not that redirection is still broken when running rootless xorg, the arch wiki explains a fix for this on that same page.

1 Like

Thanks for the reply! Changed the file name to .config as suggested, unfortunately this changed nothing and Xorg is still run as root.
Is it possible that it has to do with running i3?
And I am kind of embarrassed to even ask but regarding redirection - I have looked for some time now but I can’t find a config file that actually contains startx or similar. Would I have to append the -keeptty to the /etc/X11/xinit/xserverrc file where it says exec /usr/bin/X -nolisten tcp "$@"?

Depending on your shell it’ll be in ~/.*profile

Mine’s ~/.zprofile and contains the following

(( XDG_VTNR > 1 || ${#DISPLAY} )) || exec startx -- -keeptty -dpi 92 > ~/.local/share/xorg/xsession-errors.log

Regardless of redirection I was able to just add needs_root_rights = yes to force root X (without this my system always runs roootless X since switching to the amdgpu driver :thinking: ), by default if everything is in place to run X as a normal user, it will. The wiki says all you need is:

  • Starting X via xinit; display managers are not supported
  • Kernel mode setting; implementations in proprietary display drivers fail auto-detection and require manually setting needs_root_rights = no in /etc/X11/Xwrapper.config .

May I ask what video driver you’re using and whether you know if modesetting is enabled or not?

Can also check some of the comments on this page from when it was originally added, though I suspect many of the issues have been fixed

Weirdly, after reading in the wiki, I was looking for my ~/.zprofile as well as I have never tampered with shells and so it should be AL-stock basically. So I was confused to find that I did not have such a file. I found ~./bash_profile but this only refers to .bashrc. This is why I am confused about where my startx or similar is actually coming from…
Before changing anything I did check how my Xorg was running and it was running as root which is why I attempted to change it. No idea why it would not be run as user to begin with…

I have disabled my nvidia graphics card using bumblebee and I have in my /usr/lib/modprobe.d blacklist nvidia blacklist nvidia-drm blacklist nvidia-modeset blacklist nvidia-uvm blacklist nouveau
I am running xf86-video-intel drivers for my onboard graphics.

Does this answer your questions? Thanks a lot for your help!

Could it have something to do with using lightdm? Couldn’t find anything about this yet, though.

edit: I have just found out: switching to another tty and using startx, then running the ps -o command shows Xorg is being run as user!

This is still the standard behaviour and only a few distributions have a “wrapper” for X that allows running it as a normal user when possible.

Regarding not having a profile I really am not sure, startx wouldn’t be executed if you don’t have something doing it though so it must be somewhere

grep 'startx' ~/.*

See the first requirement to rootless X in my previous post and the wiki page linked above.

The only reason you would have/need a ~/.*profile file is for automatically running startx after logging in via the console or with systemd autologin.

1 Like