GNU bug report logs - #56971
greeter user permissions are not enough to talk with seatd

Previous Next

Full log

Message #13 received at 56971 <at> debbugs.gnu.org (full text, mbox):

From: muradm <mail <at> muradm.net>
To: Liliana Marie Prikler <liliana.prikler <at> ist.tugraz.at>
Cc: control <at> debbugs.gnu.org, 56971 <at> debbugs.gnu.org
Subject: Re: greeter user permissions are not enough to talk with seatd
Date: Thu, 04 Aug 2022 15:52:32 +0300

[Message part 1 (text/plain, inline)]

Liliana Marie Prikler <liliana.prikler <at> ist.tugraz.at> writes:

> block 56971 by 56690 56699
> thanks
>
> Hi muradm,
Hi Liliana,

> Am Donnerstag, dem 04.08.2022 um 12:45 +0300 schrieb muradm:
>> [...] greeter (e.g. gtkgreet) requiring communication
>> with seatd is failing to start, causing "black screen"
>> behavior on active terminal (switching to the other non seatd
>> related terminal is possible, for manual permissions
>> adjustment as workaround).
>>
>> To address this issue, we need more flexible control over
>> seatd user/group, which creates seatd.sock, and greeter user
>> which connects to seatd.sock.
> Okay.
>
>> However, not all greeters require that, so I decided to make
>> more flexible.
> Flexibility for its own sake is not always the right solution. 
> On the
> other hand, looking at the two patches, it appears they are to 
> be used
> in combination?
>
No, technically they are not strongly dependent on each other,
could be applied one after another in no particular order.
After both are applied, in cooperation they address this issue.

>>  Propsed solutions consists of:
>>
>> * 56690 - gnu: seatd-service-type: Should use seat group.
>> With this change, if seatd-service-type is present in the
>> system configuration, "seat" group will be added, and seatd
>> will run as root/seat. Group is configurable, but default is
>> "seat".
> Why just the group and no user?  Is it not possible to launch 
> seatd as
> non-root?
seatd provides a way for display servers to access input/output 
devices
without having to be root. So seatd it self has to run as root.
When seatd opening socket as root/seat, all members of seat would
be able to communicate with it. Also socket could be opened with
seat/seat for instance, but there is no specific point in doing 
so.
Will be one more unused system user around.
Arch seems to follow similar way, root/seat is ok for socket.
Also will signal that seatd is running as root.

>> * 56699 - gnu: greetd-service-type: Add greeter-extra-groups
>>   config field.
>> With this change, if user wants to use seatd-service-type with
>> greeter requiring seatd.sock, he can add "seat" group to
>> greeter-extra-groups field.
> Note that you still have a TODO on that patch.
That TODO is from the initial commit, it is about cgroup file
system mounting, and totally out of scope of this issue.

> Cheers
Thanks in advance

[signature.asc (application/pgp-signature, inline)]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.