[PATCH 0/2] rootless x support

[PATCH 0/2] rootless x support

[Yu Ke]

this patch set add the rootless X support (a.k.a non-root X)

- What is rootless X
Rootless X allow X to be runed with non-root user, to gain better security
Rerence (https://wiki.ubuntu.com/X/Rootless) has more detailed info on this.

- What changes are made to support rootless X
To support rootless X, whole stack including kernle, graphics driver, x server
and userspace setting are all required to change. Fortunately, the former three
already has required changes in upstream, so this patchset only add userspace
setting to enalbe the rootless X.

- How to enable/disable rootless X
Not all machine support rootless X currently, because rootless X requires kernel
mode setting (KMS) in graphics driver and not all graphics driver support KMS,
so a per-machine config "ROOTLESS_X" is introduced to enable/disable rootless X.
so far, ROOTLESS_X is set for atom_pc machine, because its graphics driver(intel
graphics driver) support KMS well.

this patchset has been tested in atom-pc and qemux86 machine poky-image-sato image

Pull URL: git://git.pokylinux.org/poky-contrib.git
  Branch: kyu3/nonrootx
  Browse: http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=kyu3/nonrootx

Thanks,
    Yu Ke <ke.yu@intel.com>
---


Yu Ke (2):
  xf86-video-intel: add config option to support rootless X
  xserver-nodm-init: add rootless-x support

 meta/conf/machine/atom-pc.conf                     |    2 +
 .../x11-common/xserver-nodm-init.bb                |   22 +++++++++++++++++++-
 .../x11-common/xserver-nodm-init/Xusername         |    1 +
 .../x11-common/xserver-nodm-init/xserver-nodm      |    4 +++
 .../xorg-driver/xf86-video-intel_2.14.0.bb         |    5 ++++
 5 files changed, 33 insertions(+), 1 deletions(-)
 create mode 100644 meta/recipes-graphics/x11-common/xserver-nodm-init/Xusername

[PATCH 1/2] xf86-video-intel: add config option to support rootless X

[Yu Ke]

- add global config option ROOTLESS_X to control if enable
  rootless X for the machine. ROOTLESS_X requires graphics
  driver supporting KMS (kernel mode setting), so far, only
  atom_pc support this. so enable ROOTLESS_X for atom_pc machine

- add config options for xf86-video-intel to support rootless X

Signed-off-by: Yu Ke <ke.yu@intel.com>
---
 meta/conf/machine/atom-pc.conf                     |    2 ++
 .../xorg-driver/xf86-video-intel_2.14.0.bb         |    5 +++++
 2 files changed, 7 insertions(+), 0 deletions(-)

diff --git a/meta/conf/machine/atom-pc.conf b/meta/conf/machine/atom-pc.conf
index 58c9b0d..b94deb2 100644
--- a/meta/conf/machine/atom-pc.conf
+++ b/meta/conf/machine/atom-pc.conf
@@ -42,3 +42,5 @@ GLIBC_ADDONS = "nptl"
 GLIBC_EXTRA_OECONF = "--with-tls"
 
 EXTRA_OECONF_append_pn-matchbox-panel-2 = " --with-battery=acpi"
+
+ROOTLESS_X = "1"
diff --git a/meta/recipes-graphics/xorg-driver/xf86-video-intel_2.14.0.bb b/meta/recipes-graphics/xorg-driver/xf86-video-intel_2.14.0.bb
index 017a2e0..099cf9d 100644
--- a/meta/recipes-graphics/xorg-driver/xf86-video-intel_2.14.0.bb
+++ b/meta/recipes-graphics/xorg-driver/xf86-video-intel_2.14.0.bb
@@ -9,8 +9,13 @@ Infrastructure (DRI)."
 
 LIC_FILES_CHKSUM = "file://COPYING;md5=8730ad58d11c7bbad9a7066d69f7808e"
 
+PR = "r1"
+
 EXTRA_OECONF += "--disable-xvmc"
 
+# --enable-kms-only option is required by ROOTLESS_X
+EXTRA_OECONF += '${@base_conditional( "ROOTLESS_X", "1", " --enable-kms-only", "", d )}'
+
 DEPENDS += "virtual/libx11 libxvmc drm xf86driproto glproto \
 	    virtual/libgl xineramaproto xf86driproto libpciaccess"
 
-- 
1.7.0.4

[PATCH 2/2] xserver-nodm-init: add rootless-x support

[Yu Ke]

most rootless X work are already done in the kernel, xserver and
graphics driver, this patches add the the remaining userspace setting:

- create /etc/X11/Xusername to set rootless X user
- add rootless X user to group video, tty to access /dev/tty[0-4]
  and /dev/dri/card0
- grant rootless X user access right to /dev/input/*, /var/log

Signed-off-by: Yu Ke <ke.yu@intel.com>
---
 .../x11-common/xserver-nodm-init.bb                |   22 +++++++++++++++++++-
 .../x11-common/xserver-nodm-init/Xusername         |    1 +
 .../x11-common/xserver-nodm-init/xserver-nodm      |    4 +++
 3 files changed, 26 insertions(+), 1 deletions(-)
 create mode 100644 meta/recipes-graphics/x11-common/xserver-nodm-init/Xusername

diff --git a/meta/recipes-graphics/x11-common/xserver-nodm-init.bb b/meta/recipes-graphics/x11-common/xserver-nodm-init.bb
index 03a6ca3..4642272 100644
--- a/meta/recipes-graphics/x11-common/xserver-nodm-init.bb
+++ b/meta/recipes-graphics/x11-common/xserver-nodm-init.bb
@@ -3,10 +3,11 @@ LICENSE = "GPLv2"
 LIC_FILES_CHKSUM = "file://COPYING;md5=751419260aa954499f7abaabaa882bbe"
 SECTION = "x11"
 PRIORITY = "optional"
-PR = "r23"
+PR = "r24"
 RDEPENDS_${PN} = "dbus-wait sudo"
 
 SRC_URI = "file://xserver-nodm \
+           file://Xusername \
            file://gplv2-license.patch"
 
 S = ${WORKDIR}
@@ -17,6 +18,25 @@ do_install() {
     install -d ${D}/etc
     install -d ${D}/etc/init.d
     install xserver-nodm ${D}/etc/init.d
+    if [ "${ROOTLESS_X}" = "1" ] ; then
+        install -d ${D}/etc/X11
+        install Xusername ${D}/etc/X11
+    fi
+}
+
+pkg_postinst_${PN} () {
+    if [ "x$D" != "x" ] ; then
+        exit 1
+    fi
+
+    if [ ! -f /etc/X11/Xusername ]; then
+        # create the rootless X user, and add user to group tty, video
+        username=`cat /etc/X11/Xusername`
+        adduser --disabled-password $username
+        # FIXME: use addgroup if busybox addgroup is ready
+        sed -i -e "s/^video:.*/&${username}/g" /etc/group
+        sed -i -e "s/^tty:.*/&${username}/g" /etc/group
+    fi
 }
 
 inherit update-rc.d
diff --git a/meta/recipes-graphics/x11-common/xserver-nodm-init/Xusername b/meta/recipes-graphics/x11-common/xserver-nodm-init/Xusername
new file mode 100644
index 0000000..db9781a
--- /dev/null
+++ b/meta/recipes-graphics/x11-common/xserver-nodm-init/Xusername
@@ -0,0 +1 @@
+yocto
diff --git a/meta/recipes-graphics/x11-common/xserver-nodm-init/xserver-nodm b/meta/recipes-graphics/x11-common/xserver-nodm-init/xserver-nodm
index 69ea949..d8c4ba0 100755
--- a/meta/recipes-graphics/x11-common/xserver-nodm-init/xserver-nodm
+++ b/meta/recipes-graphics/x11-common/xserver-nodm-init/xserver-nodm
@@ -30,6 +30,10 @@ case "$1" in
        echo "Starting Xserver"
        if [ -f /etc/X11/Xusername ]; then
            username=`cat /etc/X11/Xusername`
+           # setting for rootless X
+           chmod o+w /var/log
+           chmod g+r /dev/tty[0-3]
+           chmod o+rw /dev/input/*
        fi
        # Using sudo -i here has the nice side effect of making sire
        # HOME, USER and other previously problematic variables
-- 
1.7.0.4

Re: [PATCH 1/2] xf86-video-intel: add config option to support rootless X

[Saul Wold]

On 02/22/2011 08:00 AM, Yu Ke wrote:
> - add global config option ROOTLESS_X to control if enable
>    rootless X for the machine. ROOTLESS_X requires graphics
>    driver supporting KMS (kernel mode setting), so far, only
>    atom_pc support this. so enable ROOTLESS_X for atom_pc machine
>
> - add config options for xf86-video-intel to support rootless X
>
> Signed-off-by: Yu Ke<ke.yu@intel.com>
> ---
>   meta/conf/machine/atom-pc.conf                     |    2 ++
>   .../xorg-driver/xf86-video-intel_2.14.0.bb         |    5 +++++
>   2 files changed, 7 insertions(+), 0 deletions(-)
>
> diff --git a/meta/conf/machine/atom-pc.conf b/meta/conf/machine/atom-pc.conf
> index 58c9b0d..b94deb2 100644
> --- a/meta/conf/machine/atom-pc.conf
> +++ b/meta/conf/machine/atom-pc.conf
> @@ -42,3 +42,5 @@ GLIBC_ADDONS = "nptl"
>   GLIBC_EXTRA_OECONF = "--with-tls"
>
>   EXTRA_OECONF_append_pn-matchbox-panel-2 = " --with-battery=acpi"
> +
> +ROOTLESS_X = "1"
Can this also be set for qemux86?  If so, why not have it default?


> diff --git a/meta/recipes-graphics/xorg-driver/xf86-video-intel_2.14.0.bb b/meta/recipes-graphics/xorg-driver/xf86-video-intel_2.14.0.bb
> index 017a2e0..099cf9d 100644
> --- a/meta/recipes-graphics/xorg-driver/xf86-video-intel_2.14.0.bb
> +++ b/meta/recipes-graphics/xorg-driver/xf86-video-intel_2.14.0.bb
> @@ -9,8 +9,13 @@ Infrastructure (DRI)."
>
>   LIC_FILES_CHKSUM = "file://COPYING;md5=8730ad58d11c7bbad9a7066d69f7808e"
>
> +PR = "r1"
> +
>   EXTRA_OECONF += "--disable-xvmc"
>
> +# --enable-kms-only option is required by ROOTLESS_X
> +EXTRA_OECONF += '${@base_conditional( "ROOTLESS_X", "1", " --enable-kms-only", "", d )}'
> +
>   DEPENDS += "virtual/libx11 libxvmc drm xf86driproto glproto \
>   	    virtual/libgl xineramaproto xf86driproto libpciaccess"
>

Re: [PATCH 2/2] xserver-nodm-init: add rootless-x support

[Saul Wold]

On 02/22/2011 08:00 AM, Yu Ke wrote:
> most rootless X work are already done in the kernel, xserver and
> graphics driver, this patches add the the remaining userspace setting:
>
> - create /etc/X11/Xusername to set rootless X user
> - add rootless X user to group video, tty to access /dev/tty[0-4]
>    and /dev/dri/card0
> - grant rootless X user access right to /dev/input/*, /var/log
>
> Signed-off-by: Yu Ke<ke.yu@intel.com>
> ---
>   .../x11-common/xserver-nodm-init.bb                |   22 +++++++++++++++++++-
>   .../x11-common/xserver-nodm-init/Xusername         |    1 +
>   .../x11-common/xserver-nodm-init/xserver-nodm      |    4 +++
>   3 files changed, 26 insertions(+), 1 deletions(-)
>   create mode 100644 meta/recipes-graphics/x11-common/xserver-nodm-init/Xusername
>
> diff --git a/meta/recipes-graphics/x11-common/xserver-nodm-init.bb b/meta/recipes-graphics/x11-common/xserver-nodm-init.bb
> index 03a6ca3..4642272 100644
> --- a/meta/recipes-graphics/x11-common/xserver-nodm-init.bb
> +++ b/meta/recipes-graphics/x11-common/xserver-nodm-init.bb
> @@ -3,10 +3,11 @@ LICENSE = "GPLv2"
>   LIC_FILES_CHKSUM = "file://COPYING;md5=751419260aa954499f7abaabaa882bbe"
>   SECTION = "x11"
>   PRIORITY = "optional"
> -PR = "r23"
> +PR = "r24"
>   RDEPENDS_${PN} = "dbus-wait sudo"
>
>   SRC_URI = "file://xserver-nodm \
> +           file://Xusername \
>              file://gplv2-license.patch"
>
>   S = ${WORKDIR}
> @@ -17,6 +18,25 @@ do_install() {
>       install -d ${D}/etc
>       install -d ${D}/etc/init.d
>       install xserver-nodm ${D}/etc/init.d
> +    if [ "${ROOTLESS_X}" = "1" ] ; then
> +        install -d ${D}/etc/X11
> +        install Xusername ${D}/etc/X11
> +    fi
> +}
> +
> +pkg_postinst_${PN} () {
> +    if [ "x$D" != "x" ] ; then
> +        exit 1
> +    fi
> +
> +    if [ ! -f /etc/X11/Xusername ]; then
Do you really mean to check for the file existing?

> +        # create the rootless X user, and add user to group tty, video
> +        username=`cat /etc/X11/Xusername`
> +        adduser --disabled-password $username
> +        # FIXME: use addgroup if busybox addgroup is ready
> +        sed -i -e "s/^video:.*/&${username}/g" /etc/group
> +        sed -i -e "s/^tty:.*/&${username}/g" /etc/group
> +    fi
>   }
>
>   inherit update-rc.d
> diff --git a/meta/recipes-graphics/x11-common/xserver-nodm-init/Xusername b/meta/recipes-graphics/x11-common/xserver-nodm-init/Xusername
> new file mode 100644
> index 0000000..db9781a
> --- /dev/null
> +++ b/meta/recipes-graphics/x11-common/xserver-nodm-init/Xusername
> @@ -0,0 +1 @@
> +yocto
Why yocto, maybe xuser would be a more generic username

> diff --git a/meta/recipes-graphics/x11-common/xserver-nodm-init/xserver-nodm b/meta/recipes-graphics/x11-common/xserver-nodm-init/xserver-nodm
> index 69ea949..d8c4ba0 100755
> --- a/meta/recipes-graphics/x11-common/xserver-nodm-init/xserver-nodm
> +++ b/meta/recipes-graphics/x11-common/xserver-nodm-init/xserver-nodm
> @@ -30,6 +30,10 @@ case "$1" in
>          echo "Starting Xserver"
>          if [ -f /etc/X11/Xusername ]; then
>              username=`cat /etc/X11/Xusername`
> +           # setting for rootless X
> +           chmod o+w /var/log
> +           chmod g+r /dev/tty[0-3]
> +           chmod o+rw /dev/input/*
>          fi
>          # Using sudo -i here has the nice side effect of making sire
>          # HOME, USER and other previously problematic variables

Re: [PATCH 1/2] xf86-video-intel: add config option to support rootless X

[Yu Ke]

On Feb 22, 12:03, Saul Wold wrote:
> On 02/22/2011 08:00 AM, Yu Ke wrote:
> >- add global config option ROOTLESS_X to control if enable
> >   rootless X for the machine. ROOTLESS_X requires graphics
> >   driver supporting KMS (kernel mode setting), so far, only
> >   atom_pc support this. so enable ROOTLESS_X for atom_pc machine
> >
> >- add config options for xf86-video-intel to support rootless X
> >
> >Signed-off-by: Yu Ke<ke.yu@intel.com>
> >---
> >  meta/conf/machine/atom-pc.conf                     |    2 ++
> >  .../xorg-driver/xf86-video-intel_2.14.0.bb         |    5 +++++
> >  2 files changed, 7 insertions(+), 0 deletions(-)
> >
> >diff --git a/meta/conf/machine/atom-pc.conf b/meta/conf/machine/atom-pc.conf
> >index 58c9b0d..b94deb2 100644
> >--- a/meta/conf/machine/atom-pc.conf
> >+++ b/meta/conf/machine/atom-pc.conf
> >@@ -42,3 +42,5 @@ GLIBC_ADDONS = "nptl"
> >  GLIBC_EXTRA_OECONF = "--with-tls"
> >
> >  EXTRA_OECONF_append_pn-matchbox-panel-2 = " --with-battery=acpi"
> >+
> >+ROOTLESS_X = "1"
> Can this also be set for qemux86?  If so, why not have it default?

Unfortunately not. rootless X requires graphics driver to support KMS (kernel mode setting). qemux86 use vmware vga driver, which does not meet this requirement, so can not use rootless x.

Regards
Ke

> 
> 
> >diff --git a/meta/recipes-graphics/xorg-driver/xf86-video-intel_2.14.0.bb b/meta/recipes-graphics/xorg-driver/xf86-video-intel_2.14.0.bb
> >index 017a2e0..099cf9d 100644
> >--- a/meta/recipes-graphics/xorg-driver/xf86-video-intel_2.14.0.bb
> >+++ b/meta/recipes-graphics/xorg-driver/xf86-video-intel_2.14.0.bb
> >@@ -9,8 +9,13 @@ Infrastructure (DRI)."
> >
> >  LIC_FILES_CHKSUM = "file://COPYING;md5=8730ad58d11c7bbad9a7066d69f7808e"
> >
> >+PR = "r1"
> >+
> >  EXTRA_OECONF += "--disable-xvmc"
> >
> >+# --enable-kms-only option is required by ROOTLESS_X
> >+EXTRA_OECONF += '${@base_conditional( "ROOTLESS_X", "1", " --enable-kms-only", "", d )}'
> >+
> >  DEPENDS += "virtual/libx11 libxvmc drm xf86driproto glproto \
> >  	    virtual/libgl xineramaproto xf86driproto libpciaccess"
> >
> 
> _______________________________________________
> poky mailing list
> poky@yoctoproject.org
> https://lists.yoctoproject.org/listinfo/poky

Re: [PATCH 2/2] xserver-nodm-init: add rootless-x support

[Yu Ke]

On Feb 22, 12:20, Saul Wold wrote:
> On 02/22/2011 08:00 AM, Yu Ke wrote:
> >most rootless X work are already done in the kernel, xserver and
> >graphics driver, this patches add the the remaining userspace setting:
> >
> >- create /etc/X11/Xusername to set rootless X user
> >- add rootless X user to group video, tty to access /dev/tty[0-4]
> >   and /dev/dri/card0
> >- grant rootless X user access right to /dev/input/*, /var/log
> >
> >Signed-off-by: Yu Ke<ke.yu@intel.com>
> >---
> >  .../x11-common/xserver-nodm-init.bb                |   22 +++++++++++++++++++-
> >  .../x11-common/xserver-nodm-init/Xusername         |    1 +
> >  .../x11-common/xserver-nodm-init/xserver-nodm      |    4 +++
> >  3 files changed, 26 insertions(+), 1 deletions(-)
> >  create mode 100644 meta/recipes-graphics/x11-common/xserver-nodm-init/Xusername
> >
> >diff --git a/meta/recipes-graphics/x11-common/xserver-nodm-init.bb b/meta/recipes-graphics/x11-common/xserver-nodm-init.bb
> >index 03a6ca3..4642272 100644
> >--- a/meta/recipes-graphics/x11-common/xserver-nodm-init.bb
> >+++ b/meta/recipes-graphics/x11-common/xserver-nodm-init.bb
> >@@ -3,10 +3,11 @@ LICENSE = "GPLv2"
> >  LIC_FILES_CHKSUM = "file://COPYING;md5=751419260aa954499f7abaabaa882bbe"
> >  SECTION = "x11"
> >  PRIORITY = "optional"
> >-PR = "r23"
> >+PR = "r24"
> >  RDEPENDS_${PN} = "dbus-wait sudo"
> >
> >  SRC_URI = "file://xserver-nodm \
> >+           file://Xusername \
> >             file://gplv2-license.patch"
> >
> >  S = ${WORKDIR}
> >@@ -17,6 +18,25 @@ do_install() {
> >      install -d ${D}/etc
> >      install -d ${D}/etc/init.d
> >      install xserver-nodm ${D}/etc/init.d
> >+    if [ "${ROOTLESS_X}" = "1" ] ; then
> >+        install -d ${D}/etc/X11
> >+        install Xusername ${D}/etc/X11
> >+    fi
> >+}
> >+
> >+pkg_postinst_${PN} () {
> >+    if [ "x$D" != "x" ] ; then
> >+        exit 1
> >+    fi
> >+
> >+    if [ ! -f /etc/X11/Xusername ]; then
> Do you really mean to check for the file existing?
> 
> >+        # create the rootless X user, and add user to group tty, video
> >+        username=`cat /etc/X11/Xusername`
> >+        adduser --disabled-password $username
> >+        # FIXME: use addgroup if busybox addgroup is ready
> >+        sed -i -e "s/^video:.*/&${username}/g" /etc/group
> >+        sed -i -e "s/^tty:.*/&${username}/g" /etc/group
> >+    fi
> >  }
> >
> >  inherit update-rc.d
> >diff --git a/meta/recipes-graphics/x11-common/xserver-nodm-init/Xusername b/meta/recipes-graphics/x11-common/xserver-nodm-init/Xusername
> >new file mode 100644
> >index 0000000..db9781a
> >--- /dev/null
> >+++ b/meta/recipes-graphics/x11-common/xserver-nodm-init/Xusername
> >@@ -0,0 +1 @@
> >+yocto
> Why yocto, maybe xuser would be a more generic username

Yup, this looks better. I will revise and resubmit the patch

Regards
Ke

> 
> >diff --git a/meta/recipes-graphics/x11-common/xserver-nodm-init/xserver-nodm b/meta/recipes-graphics/x11-common/xserver-nodm-init/xserver-nodm
> >index 69ea949..d8c4ba0 100755
> >--- a/meta/recipes-graphics/x11-common/xserver-nodm-init/xserver-nodm
> >+++ b/meta/recipes-graphics/x11-common/xserver-nodm-init/xserver-nodm
> >@@ -30,6 +30,10 @@ case "$1" in
> >         echo "Starting Xserver"
> >         if [ -f /etc/X11/Xusername ]; then
> >             username=`cat /etc/X11/Xusername`
> >+           # setting for rootless X
> >+           chmod o+w /var/log
> >+           chmod g+r /dev/tty[0-3]
> >+           chmod o+rw /dev/input/*
> >         fi
> >         # Using sudo -i here has the nice side effect of making sire
> >         # HOME, USER and other previously problematic variables
> 
> _______________________________________________
> poky mailing list
> poky@yoctoproject.org
> https://lists.yoctoproject.org/listinfo/poky

[PATCH 2/2] xserver-nodm-init: add rootless-x support

[Yu Ke]

most rootless X work are already done in the kernel, xserver and
graphics driver, this patches add the the remaining userspace setting:

- create /etc/X11/Xusername to set rootless X user
- add rootless X user to group video, tty to access /dev/tty[0-4]
  and /dev/dri/card0
- grant rootless X user access right to /dev/input/*, /var/log

Signed-off-by: Yu Ke <ke.yu@intel.com>
---
 .../x11-common/xserver-nodm-init.bb                |   22 +++++++++++++++++++-
 .../x11-common/xserver-nodm-init/Xusername         |    1 +
 .../x11-common/xserver-nodm-init/xserver-nodm      |    4 +++
 3 files changed, 26 insertions(+), 1 deletions(-)
 create mode 100644 meta/recipes-graphics/x11-common/xserver-nodm-init/Xusername

diff --git a/meta/recipes-graphics/x11-common/xserver-nodm-init.bb b/meta/recipes-graphics/x11-common/xserver-nodm-init.bb
index 03a6ca3..a93acc9 100644
--- a/meta/recipes-graphics/x11-common/xserver-nodm-init.bb
+++ b/meta/recipes-graphics/x11-common/xserver-nodm-init.bb
@@ -3,10 +3,11 @@ LICENSE = "GPLv2"
 LIC_FILES_CHKSUM = "file://COPYING;md5=751419260aa954499f7abaabaa882bbe"
 SECTION = "x11"
 PRIORITY = "optional"
-PR = "r23"
+PR = "r24"
 RDEPENDS_${PN} = "dbus-wait sudo"
 
 SRC_URI = "file://xserver-nodm \
+           file://Xusername \
            file://gplv2-license.patch"
 
 S = ${WORKDIR}
@@ -17,6 +18,25 @@ do_install() {
     install -d ${D}/etc
     install -d ${D}/etc/init.d
     install xserver-nodm ${D}/etc/init.d
+    if [ "${ROOTLESS_X}" = "1" ] ; then
+        install -d ${D}/etc/X11
+        install Xusername ${D}/etc/X11
+    fi
+}
+
+pkg_postinst_${PN} () {
+    if [ "x$D" != "x" ] ; then
+        exit 1
+    fi
+
+    if [ -f /etc/X11/Xusername ]; then
+        # create the rootless X user, and add user to group tty, video
+        username=`cat /etc/X11/Xusername`
+        adduser --disabled-password $username
+        # FIXME: use addgroup if busybox addgroup is ready
+        sed -i -e "s/^video:.*/&${username}/g" /etc/group
+        sed -i -e "s/^tty:.*/&${username}/g" /etc/group
+    fi
 }
 
 inherit update-rc.d
diff --git a/meta/recipes-graphics/x11-common/xserver-nodm-init/Xusername b/meta/recipes-graphics/x11-common/xserver-nodm-init/Xusername
new file mode 100644
index 0000000..7060e5e
--- /dev/null
+++ b/meta/recipes-graphics/x11-common/xserver-nodm-init/Xusername
@@ -0,0 +1 @@
+xuser
diff --git a/meta/recipes-graphics/x11-common/xserver-nodm-init/xserver-nodm b/meta/recipes-graphics/x11-common/xserver-nodm-init/xserver-nodm
index 69ea949..d8c4ba0 100755
--- a/meta/recipes-graphics/x11-common/xserver-nodm-init/xserver-nodm
+++ b/meta/recipes-graphics/x11-common/xserver-nodm-init/xserver-nodm
@@ -30,6 +30,10 @@ case "$1" in
        echo "Starting Xserver"
        if [ -f /etc/X11/Xusername ]; then
            username=`cat /etc/X11/Xusername`
+           # setting for rootless X
+           chmod o+w /var/log
+           chmod g+r /dev/tty[0-3]
+           chmod o+rw /dev/input/*
        fi
        # Using sudo -i here has the nice side effect of making sire
        # HOME, USER and other previously problematic variables
-- 
1.7.0.4