|| The xserver (or Xwrapper) is suid root.
|| This is necessary to access certain privileged devices.
|| Now I have heard that, in conformance with good security
|| practices, the xserver quickly gives up its root privileges
|| as soon as it has opened those devices, by changing the
|| effective user back to the real user. However, when I run a
|| "ps -eo euser,ruser,cmd" the effective user still appears
|| to be root. Is this required behaviour? Is it not possible
|| to run the xserver as an ordinary user after the privileged
|| devices have been opened?
|As long as X is going to control the real screen, keyboard, mouse, tablet, etc, I
|don't think it can run as a user but needs to run as root.
Depends on the platform/OS. On Solaris/sparc for instance, X never
needs to run as user root, as the sparc platform doesn't require it
to access devices the way the intel platform does. On Solaris/intel,
the Xserver is able to drop priveledges for most of the Xserver
operation, reasserting them when necessary.
Working for, but definitely not speaking for, Sun Microsystems, Inc.