I was once told that you can use sudo in a terminal on a simple desktop but not (safely) in a DE, because it exposes your environment to root, including XDG variable names for some essential authorisation files. If those files accidentally get transferred to root's ownership, you won't be able to use X as yourself any more unless you hunt down the errant files and delete them. istr that actually happened to me once.

Apparently gksudo and kdesudo contain specific code to prevent that from happening. They are not just sudo with pretty graphics.

1 members found this post helpful.

What you miss here is very well written in the story of nuclear program of Iran, called stuxnet. Those nuclear centrifuges were much more protected than anything you have, they were permanently disconnected from the "outside" net, but they were still destroyed.
That happened more than 10 years ago, believe me, they have much better tools now (to collect your sensitive data).

Stuxnet's introduction into Iran's nuclear facility is uncertain but the 2 most commonly considered sources, are firmware in servos and insider penetration via a flash drive. In short, I'm not missing this at all. I am dead certain considerable of my data is mined. I am almost equally certain nobody is taking control of my PCs... my phone, maybe, but I go to great lengths to isolate my phone from my PCs.

There was some software like spss for linux that required a gui and root access for installation.
Wayland seems to offer little and take away much.

The fact that root sometimes might benefit from running a graphical X application does not necessarily mean that root has to run the X server. It is possible to login as a normal user and start X, then in a terminal window like xterm do "su" or "ssh root@localhost" and then start some graphical X application as root.

regards Henrik

1 members found this post helpful.

Geez! I surely didn't want to open such a can of worms over simple root permissions in X, so here goes:

OK I want to see it. Did Wayland devs have ANY evidence of the number of documented cases of security breaches due to running X as root, or did it just suit their workflow preferences/prejudices and figured nobody would mind?

why do you think it can be documented. Most of the cases are simply not detected at all, just your email, money, whatever is stolen and you have no any idea how did it happen.
Closing potential security gaps reduces the risk. It is that simple. Ignore it at your own risk.

https://www.theregister.com/2018/10/...vulnerability/
https://cve.mitre.org/cgi-bin/cvenam...CVE-2018-14665

Since I only looked for 1 second to find this 2018 trivial to exploit issue, obviously a serious review of the historical and current CVEs will result in a complete answer to the question.

Unfortunately, there's a reality that when the core primary dev stops working at all on the project, which is what happened when the main X.org dev moved to only working on Xwayland, no magical code events occur. Slow, gradual degradation of the codebase, possibly new exploits that required a serious refactor to resolve, begin to go unresolved since there are simply no competent devs who are doing that work anymore.

So it's not like X.org is going to remain static and fine through the future, it's going to drift into what is called 'code rot', a term I used to reject totally since my view was code can't rot, until I started seeing it happen on my own large codebases.

Those are small errors that appear when you innocently are working on some other feature, and simply don't realize you also accidentally impacted some other part, without realizing you did it at all, or underlying bits and pieces hitting issues with Linux kernel drivers changing subtly or not so subtly, thus breaking X.org display drivers.

I'm 100% in the camp that wishes this were not the case, and as with many, Wayland compositors do not solve any problem I have ever had, and also fail to be noticeably better in any area, for me, they are worse, in VirtualBox, wayland compositors are radically more unstable than X.org display server driven desktops and window managers, which for me matters a lot re testing and development, so I'm not a fanboy for wayland, just someone who is trying to be realistic about what to expect as dev hours decline, and more important, as dev talent and experience starts to vanish.

I have always been struck by just how much damage an unskilled / inexperienced dev can do to a codebase in such a short time, and thinking that X.org will be exempted from that issue is not realistic.

I won't name names, but I've been watching this bit rot and dev skill drain in a well known distribution for many years now, and it's gotten to the point where I no longer actually support it, unless its' an easy fix. As with future X.org users unsure why bugs don't get fixed, etc, this distribution's users seem unaware of what happens when you suffer this long term degradation. The actual name of it doesn't matter, it's just a demonstration that bit rot is real, dev talent drain is real, and once a project hits a critical level these issues start to get quite serious.

As an aside, for a few months now, with new kernels (Liquorix) and fairly current desktops (Xfce) I've been starting to see display corruptions in Thunderbird and one or two other programs, which I believe means GTK corruption, and that's the kind of issue you'll be seeing more and more of.

As Qt and Gtk move increasingly to Wayland compositor support primarily, the dev manhours/eyeballs will shrink for the x11 compositor/window managers, and you'll see more and more "won't fix" in valid bug reports because there's no devs who want to do that work, or who get paid to do it.

I was somewhat, for example, shocked, when mrmazda, who does a lot of display and desktop support here on linuxquestions, told me that fedora isn't even shipping X.org 1.21, they are shipping... 1.20, which means, they don't even care to get the latest bug fixes at all, they aren't allocating any resources to X.org at all, not even to the point of packaging the current release. I had a hard time believing this was the case, but mrmazda showed me, Fedora 40 has 1.20, I think, I know 39 does, and that X.org is I think over 2 years old now.

So unless a serious organized effort rises to fork/maintain X.org, it's not going to happen. As someone noted, the X devs put out a call to get volunteers for 1 or 2 years to maintain X.org, and got zero, no, results. Which is I think when they decided probably to let it die, and start working on the wayland protocol full time.

I'm writing this partially for myself, since I, like Garth of Wayne's world, fear change, and in particular, I fear breaking changes that do nothing to improve my actual workflow.

If I were to be objective however, I'd guess the biggest complaint users have, losing network transparency, and thus, losing x11 over network, client / server situations, is probably the least realworld important of all the objections, and the easiest to adapt ones workflow around.

I worry much more about stuff just not working, or being buggy, breaking, failing, in normal use.

But the more of your programs that use current Gtk and Qt, the fewer issues you should see I believe.

3 members found this post helpful.

So far that has been the only mantra about not letting go of xorg. I personally just do not care about it - it is at best in my view a niche thing, and having a network-aware display has never come up. I again can just point to RDP or VNC if you need something similar, but again like that retrobytes video also pointed out, the days of running a display like the days of VAX is over. If Wayland is more secure for not having this feature, then I am all for it - and again it is not like any distro that I have seen is going to pull an OpenBSD and try to fork xorg a.k.a xenocara with least privileges for xorg.

I also have wanted to dabble into a rootless xorg; but it seemed more of a PITA to try to accomplish and would end up breaking DRI/DRM with NVIDIA. The writing is on the wall for xorg as you pointed out, nobody is working on it anymore and not even for security updates - so fedora being bleeding edge makes sense for it to ditch it - so in a way im glad we have fedora, let them bite the bullet first , so we can benefit later on - joking aside though, while I can sympathize with Garth, I also don't like change - but I also never ran into a usecase where I needed the 'advantages' of xorg and having network aware display. Chances are most here probably don't either; and I am going to stubbornly point to RDP or VNC, we have that - sure it might not be like xorg, but oh well it is what it is.

Don Hopkin's account of the X-Windows horror show is an interesting read...
https://donhopkins.medium.com/the-x-...r-128d398ebd47

1 members found this post helpful.

Good read to be honest, I should re-read the UNIX Hater's Hanbook again - rather entertaining read

Actually, despite Xorg being root capable, there are very few serious issues such as that, at least known issues, which pretty much means the internal Xorg security model was quite well functional.

ferrari, that's a good read, thanks. Will have to go over that one a few times to get the timelines and details better.

"Marus J. Ranum" of DEC. Guess what DEC shipped as a GUI for VMS? DECwindows, which was based on ... (you guessed it). X11R4 is old, and X has updated much since then while still keeping it interoperable with older versions. As I stated previously, I'd be OK to switch, but Wayland takes my tool box, turns it upside down, and dumps everything out. Neither Xv nor ImageMagick work properly anymore, so I had to set up grim (which curiously requires slurp, a separate utility, to find a window region) for screen shots. x3270's keyboard window keeps overlapping the main window when you move it, even if you move it away. 50/50 whether an application works correctly with Xwayland. A large around of applications are going to have to be re-written. Do people realize this? If there's already a lack of devs, who is going to rewrite all that?

One thing I like most about Xwindow, and Linux in general, is the user gets the power to do what he wants. If I want to get a GUI login from a Sun SPARC box over the network, I can. You're not getting ssh, let alone RDP/VNC to work on that. Now, it looks (figuratively and literally) like Linux is becoming Mac OSX. Did you notice how fast they drop stuff deemed to be old? Try to find a command line ftp client. A family member's machine didn't even have an ethernet port (only wireless) nor an optical drive on a desktop PC.

If we are to follow the "that's old no one needs that anymore" argument to its logical conclusion, we could rip out 80% of Linux and we'd all be using LinuxQuestions app on our lastest Apple iPhone.

1 members found this post helpful.

All those apps are pulling users away from Windows and Mac, so they must be Exterminated!