The 1.16 release of xorg-server now supports running as non-root out-of-the-box. The /usr/bin/Xorg executable is now a shell script, running the Xorg.wrap setuid binary if it exists and otherwise falling back to Xorg.bin.

The necessary packaging steps are to make /usr/bin/Xorg a non-setuid binary, which will cause it to run as non-root if the driver does not require it.

Some users may be starting X automatically from a virtual console, and they will need to replace "exec startx" with "startx; exit" because the permissions do not seem to be handed off correctly with "exec". A post-install message and perhaps even a news item would be nice to deal with that.

The second step is to split the Xorg.wrap binary out into a second package (xorg-server-setuid-wrapper) and have video drivers like nvidia, catalyst and the various UMS drivers depend on it. This will remove a significant attack surface from the system.

https://hansdegoede.livejournal.com/14268.html