3 files changed, 21 insertions, 46 deletions
diff --git a/include/sway/server.h b/include/sway/server.h
index 3d59ca56..4cce17cc 100644
--- a/include/sway/server.h
+++ b/include/sway/server.h
@@ -148,8 +148,6 @@ struct sway_debug {
 extern struct sway_debug debug;
-/* Prepares an unprivileged server_init by performing all privileged operations in advance */
-bool server_privileged_prepare(struct sway_server *server);
 bool server_init(struct sway_server *server);
 void server_fini(struct sway_server *server);
 bool server_start(struct sway_server *server);
diff --git a/sway/main.c b/sway/main.c
index a0033c45..a46e5231 100644
--- a/sway/main.c
+++ b/sway/main.c
@@ -150,27 +150,17 @@ static void log_kernel(void) {
        pclose(f);
 }
+static bool detect_suid(void) {
-static bool drop_permissions(void) {
+        if (geteuid() != 0 && getegid() != 0) {
-        if (getuid() != geteuid() || getgid() != getegid()) {
+                return false;
-                sway_log(SWAY_ERROR, "!!! DEPRECATION WARNING: "
-                        "SUID privilege drop will be removed in a future release, please migrate to seatd-launch");
-                // Set the gid and uid in the correct order.
-                if (setgid(getgid()) != 0) {
-                        sway_log(SWAY_ERROR, "Unable to drop root group, refusing to start");
-                        return false;
-                }
-                if (setuid(getuid()) != 0) {
-                        sway_log(SWAY_ERROR, "Unable to drop root user, refusing to start");
-                        return false;
-                }
        }
-        if (setgid(0) != -1 || setuid(0) != -1) {
-                sway_log(SWAY_ERROR, "Unable to drop root (we shouldn't be able to "
+        if (getuid() == geteuid() && getgid() == getegid()) {
-                        "restore it after setuid), refusing to start");
                return false;
        }
+        sway_log(SWAY_ERROR, "SUID operation is no longer supported, refusing to start. "
+                        "This check will be removed in a future release.");
        return true;
 }
@@ -319,6 +309,11 @@ int main(int argc, char **argv) {
                }
        }
+        // SUID operation is deprecated, so block it for now.
+        if (detect_suid()) {
+                exit(EXIT_FAILURE);
+        }
        // Since wayland requires XDG_RUNTIME_DIR to be set, abort with just the
        // clear error message (when not running as an IPC client).
        if (!getenv("XDG_RUNTIME_DIR") && optind == argc) {
@@ -357,9 +352,6 @@ int main(int argc, char **argv) {
                                        "`sway -d 2>sway.log`.");
                        exit(EXIT_FAILURE);
                }
-                if (!drop_permissions()) {
-                        exit(EXIT_FAILURE);
-                }
                char *socket_path = getenv("SWAYSOCK");
                if (!socket_path) {
                        sway_log(SWAY_ERROR, "Unable to retrieve socket path");
@@ -372,16 +364,6 @@ int main(int argc, char **argv) {
        }
        detect_proprietary(allow_unsupported_gpu);
-        if (!server_privileged_prepare(&server)) {
-                return 1;
-        }
-        if (!drop_permissions()) {
-                server_fini(&server);
-                exit(EXIT_FAILURE);
-        }
        increase_nofile_limit();
        // handle SIGTERM signals
diff --git a/sway/server.c b/sway/server.c
index 627d80d6..be74b3b3 100644
--- a/sway/server.c
+++ b/sway/server.c
@@ -47,19 +47,6 @@
 #include "sway/xwayland.h"
 #endif
-bool server_privileged_prepare(struct sway_server *server) {
-        sway_log(SWAY_DEBUG, "Preparing Wayland server initialization");
-        server->wl_display = wl_display_create();
-        server->wl_event_loop = wl_display_get_event_loop(server->wl_display);
-        server->backend = wlr_backend_autocreate(server->wl_display);
-        if (!server->backend) {
-                sway_log(SWAY_ERROR, "Unable to create backend");
-                return false;
-        }
-        return true;
-}
 static void handle_drm_lease_request(struct wl_listener *listener, void *data) {
        /* We only offer non-desktop outputs, but in the future we might want to do
         * more logic here. */
@@ -76,6 +63,14 @@ static void handle_drm_lease_request(struct wl_listener *listener, void *data) {
 bool server_init(struct sway_server *server) {
        sway_log(SWAY_DEBUG, "Initializing Wayland server");
+        server->wl_display = wl_display_create();
+        server->wl_event_loop = wl_display_get_event_loop(server->wl_display);
+        server->backend = wlr_backend_autocreate(server->wl_display);
+        if (!server->backend) {
+                sway_log(SWAY_ERROR, "Unable to create backend");
+                return false;
+        }
        server->renderer = wlr_renderer_autocreate(server->backend);
        if (!server->renderer) {

diff --git a/include/sway/server.h b/include/sway/server.h index 3d59ca56..4cce17cc 100644 --- a/include/sway/server.h +++ b/include/sway/server.h
@@ -148,8 +148,6 @@ struct sway_debug {
148		148
149	extern struct sway_debug debug;	149	extern struct sway_debug debug;
150		150
151	/* Prepares an unprivileged server_init by performing all privileged operations in advance */
152	bool server_privileged_prepare(struct sway_server *server);
153	bool server_init(struct sway_server *server);	151	bool server_init(struct sway_server *server);
154	void server_fini(struct sway_server *server);	152	void server_fini(struct sway_server *server);
155	bool server_start(struct sway_server *server);	153	bool server_start(struct sway_server *server);


diff --git a/sway/main.c b/sway/main.c index a0033c45..a46e5231 100644 --- a/sway/main.c +++ b/sway/main.c
@@ -150,27 +150,17 @@ static void log_kernel(void) {
150	pclose(f);	150	pclose(f);
151	}	151	}
152		152
153		153	static bool detect_suid(void) {
154	static bool drop_permissions(void) {	154	if (geteuid() != 0 && getegid() != 0) {
155	if (getuid() != geteuid() \|\| getgid() != getegid()) {	155	return false;
156	sway_log(SWAY_ERROR, "!!! DEPRECATION WARNING: "
157	"SUID privilege drop will be removed in a future release, please migrate to seatd-launch");
158
159	// Set the gid and uid in the correct order.
160	if (setgid(getgid()) != 0) {
161	sway_log(SWAY_ERROR, "Unable to drop root group, refusing to start");
162	return false;
163	}
164	if (setuid(getuid()) != 0) {
165	sway_log(SWAY_ERROR, "Unable to drop root user, refusing to start");
166	return false;
167	}
168	}	156	}
169	if (setgid(0) != -1 \|\| setuid(0) != -1) {	157
170	sway_log(SWAY_ERROR, "Unable to drop root (we shouldn't be able to "	158	if (getuid() == geteuid() && getgid() == getegid()) {
171	"restore it after setuid), refusing to start");
172	return false;	159	return false;
173	}	160	}
		161
		162	sway_log(SWAY_ERROR, "SUID operation is no longer supported, refusing to start. "
		163	"This check will be removed in a future release.");
174	return true;	164	return true;
175	}	165	}
176		166
@@ -319,6 +309,11 @@ int main(int argc, char **argv) {
319	}	309	}
320	}	310	}
321		311
		312	// SUID operation is deprecated, so block it for now.
		313	if (detect_suid()) {
		314	exit(EXIT_FAILURE);
		315	}
		316
322	// Since wayland requires XDG_RUNTIME_DIR to be set, abort with just the	317	// Since wayland requires XDG_RUNTIME_DIR to be set, abort with just the
323	// clear error message (when not running as an IPC client).	318	// clear error message (when not running as an IPC client).
324	if (!getenv("XDG_RUNTIME_DIR") && optind == argc) {	319	if (!getenv("XDG_RUNTIME_DIR") && optind == argc) {
@@ -357,9 +352,6 @@ int main(int argc, char **argv) {
357	"`sway -d 2>sway.log`.");	352	"`sway -d 2>sway.log`.");
358	exit(EXIT_FAILURE);	353	exit(EXIT_FAILURE);
359	}	354	}
360	if (!drop_permissions()) {
361	exit(EXIT_FAILURE);
362	}
363	char *socket_path = getenv("SWAYSOCK");	355	char *socket_path = getenv("SWAYSOCK");
364	if (!socket_path) {	356	if (!socket_path) {
365	sway_log(SWAY_ERROR, "Unable to retrieve socket path");	357	sway_log(SWAY_ERROR, "Unable to retrieve socket path");
@@ -372,16 +364,6 @@ int main(int argc, char **argv) {
372	}	364	}
373		365
374	detect_proprietary(allow_unsupported_gpu);	366	detect_proprietary(allow_unsupported_gpu);
375
376	if (!server_privileged_prepare(&server)) {
377	return 1;
378	}
379
380	if (!drop_permissions()) {
381	server_fini(&server);
382	exit(EXIT_FAILURE);
383	}
384
385	increase_nofile_limit();	367	increase_nofile_limit();
386		368
387	// handle SIGTERM signals	369	// handle SIGTERM signals


diff --git a/sway/server.c b/sway/server.c index 627d80d6..be74b3b3 100644 --- a/sway/server.c +++ b/sway/server.c
@@ -47,19 +47,6 @@
47	#include "sway/xwayland.h"	47	#include "sway/xwayland.h"
48	#endif	48	#endif
49		49
50	bool server_privileged_prepare(struct sway_server *server) {
51	sway_log(SWAY_DEBUG, "Preparing Wayland server initialization");
52	server->wl_display = wl_display_create();
53	server->wl_event_loop = wl_display_get_event_loop(server->wl_display);
54	server->backend = wlr_backend_autocreate(server->wl_display);
55
56	if (!server->backend) {
57	sway_log(SWAY_ERROR, "Unable to create backend");
58	return false;
59	}
60	return true;
61	}
62
63	static void handle_drm_lease_request(struct wl_listener listener, void data) {	50	static void handle_drm_lease_request(struct wl_listener listener, void data) {
64	/* We only offer non-desktop outputs, but in the future we might want to do	51	/* We only offer non-desktop outputs, but in the future we might want to do
65	* more logic here. */	52	* more logic here. */
@@ -76,6 +63,14 @@ static void handle_drm_lease_request(struct wl_listener listener, void data) {
76		63
77	bool server_init(struct sway_server *server) {	64	bool server_init(struct sway_server *server) {
78	sway_log(SWAY_DEBUG, "Initializing Wayland server");	65	sway_log(SWAY_DEBUG, "Initializing Wayland server");
		66	server->wl_display = wl_display_create();
		67	server->wl_event_loop = wl_display_get_event_loop(server->wl_display);
		68	server->backend = wlr_backend_autocreate(server->wl_display);
		69
		70	if (!server->backend) {
		71	sway_log(SWAY_ERROR, "Unable to create backend");
		72	return false;
		73	}
79		74
80	server->renderer = wlr_renderer_autocreate(server->backend);	75	server->renderer = wlr_renderer_autocreate(server->backend);
81	if (!server->renderer) {	76	if (!server->renderer) {