How to determine if X server runs with root privileges

xorg root not-root-user x-server

6,862

There are a few ways to output the user ID (UID) with ps; a simple one is with -f:

ps -fC X

Will give you information for all the X servers that are running (there can be more than one).

This presumes that the executable is called X -- if there's no such process, you will have to target something else. Since it almost certainly at least has capital X in it (e.g., Xorg, X11), an alternative is to filter through grep:

ps -o uid,comm -A | grep X

This removes the column headers, but the UID is the numerical one on the left. If this is 0, then the process is running root. If nothing turns up, try ps -fA | grep X; this one involves more clutter.

Finally, if there is no process with capital X in its name, try x; you may at least find commands used to control it, such as startx or xinit. You could also try dm, since display managers usually have this in their name (gdm, etc). However, none of these is actually the X server, and although xinit starts the server, the server executable often has the setuid bit set, meaning even though xinit has a non-privileged UID, X will still run as root.

6,862

lord.garbage

Updated on September 18, 2022

Comments

lord.garbage over 1 year

This is a one-liner: Is there a way/command to check if the X server is run as root or as user?

This was supposed to be a one-liner but alas... I recently upgraded my Arch Linux box. After the upgrade I was notified that X now runs rootless. I checked on the official Arch Linux page and it states:

X is now rootless with the help of systemd-logind [...] ^[1]

This got me interested in how to check whether X is run rootless or not. How can this be done?
goldilocks almost 10 years

The ps X output is unrelated (see OUTPUT FORMAT CONTROL in man ps about that). I think the X server isn't necessarily called X, which might be your problem, but it should at least contain the letter X; I've added a paragraph about using grep to get around this.
goldilocks almost 10 years

Maybe that was my bad. It seems an odd way to put it to me, but I'll defer to the Arch docs. I use startx as well; on my system hands off to xinit, and only the later persists in the process table. The parent process of the X server is xinit, so for you it should be startx. You find this via the PPID given by ps -f once you know the name of the X server process. Take that PPID number and ps -p + the PPID should give you startx. If none of these things has UID 0, it is "running rootless".
lord.garbage almost 10 years

Nice. I have both processes persisting, startx and xinit. I check them with ps -fC startx and ps -fC xinit. Both have a UID ≠ 0. One important sidenote: I was only able to find startx and xinit feeding grep a lowercase x. You think it advisable to include this in your answer?
goldilocks almost 10 years

Hmmm -- I've added another paragraph about this. Neither xinit nor startx is actually the X server, which is a bit of an issue. I've asked about this in chat: chat.stackexchange.com/rooms/26/unix-and-linux What output do you get for which X or which Xorg?
lord.garbage almost 10 years

Input: which X. Output: /usr/bin/X. Input: which Xorg. Output: /usr/bin/Xorg. I get output for ps -fC Xorg.bin. It's path is /usr/bin/Xorg.bin. It's UID is also different from 0.
goldilocks almost 10 years

Okay, that's almost certainly the server then, which doesn't have UID root. Strange the grep did not work -- obviously ps -fA | grep X would work, I avoided that one because it will include a lot of other clutter.
goldilocks almost 10 years

I would guess the reason for the separate Xorg.bin is to have one without the setuid bit set, so that it will run non-root.
lord.garbage almost 10 years

Excellent. Problem solved. Thanks for your patience and effort! I will read up on how this exactly works!