From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp11.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id sC6sKbOZ62Lx8QAAbAwnHQ (envelope-from ) for ; Thu, 04 Aug 2022 12:04:35 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp11.migadu.com with LMTPS id qAalKbOZ62JRzQAA9RJhRA (envelope-from ) for ; Thu, 04 Aug 2022 12:04:35 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 592FC2EC3D for ; Thu, 4 Aug 2022 12:04:35 +0200 (CEST) Received: from localhost ([::1]:60468 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1oJXiU-0000hI-EY for larch@yhetil.org; Thu, 04 Aug 2022 06:04:34 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:40806) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oJXi0-0000d2-Vp for bug-guix@gnu.org; Thu, 04 Aug 2022 06:04:07 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:33352) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1oJXhy-0002eR-6R for bug-guix@gnu.org; Thu, 04 Aug 2022 06:04:04 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1oJXhy-0008E3-0B for bug-guix@gnu.org; Thu, 04 Aug 2022 06:04:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#56971: greeter user permissions are not enough to talk with seatd Resent-From: muradm Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Thu, 04 Aug 2022 10:04:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 56971 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 56971@debbugs.gnu.org X-Debbugs-Original-To: bug-guix@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.165960739331557 (code B ref -1); Thu, 04 Aug 2022 10:04:01 +0000 Received: (at submit) by debbugs.gnu.org; 4 Aug 2022 10:03:13 +0000 Received: from localhost ([127.0.0.1]:51334 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oJXhA-0008Cv-Ls for submit@debbugs.gnu.org; Thu, 04 Aug 2022 06:03:13 -0400 Received: from lists.gnu.org ([209.51.188.17]:47100) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oJXh8-0008Cn-7C for submit@debbugs.gnu.org; Thu, 04 Aug 2022 06:03:10 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:40598) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oJXh3-0008UD-Uu for bug-guix@gnu.org; Thu, 04 Aug 2022 06:03:07 -0400 Received: from nomad-cl1.staging.muradm.net ([139.162.159.157]:56972 helo=nomad-cl1.muradm.net) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oJXh2-0002VN-6c for bug-guix@gnu.org; Thu, 04 Aug 2022 06:03:05 -0400 Received: from localhost ([127.0.0.1]:33536) by nomad-cl1.muradm.net with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1oJXgV-0000Ku-2f for bug-guix@gnu.org; Thu, 04 Aug 2022 10:02:31 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=muradm.net; s=mail; h=Content-Type:MIME-Version:Message-ID:Date:Subject:To:From:Sender: Reply-To:Cc:Content-Transfer-Encoding:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=FXsQCo4n3WuhprTQ6Nk9NsXYsLr5Up3oa/nL/7WbZrY=; b=Qg4sQasb14tGVukIGE1bL54yki RLozMhjlQ6txliDXbOilN2RXOdFkv+AlGtd/Qi7ZbPdGz+9omcXfiwPRLMSLF0Xth9mhXwKTkEr00 OFNQod7ry5HIYitKZWaePWuw5/ixnJA9kDwKeiEnOyQIlePuxkRy7PNrPCDsHXX5+k1HH99nGe41L qTw2ZNVvIV3bYYcviufwHvHLI/xqZmvmWGK4HxJ1eFEbSDP7yGjAo2YASlehkOnDkXA8N8rk4oBLW QhvBvmr4h9D8612gtA8N7zb9tj7g8mQ5Bo4zksH/00XRDDlqb+IEGO6IdXWXCXJbWdBeE6pGdFdIg eWwC1M10q1eDhablIuLW1Ltlifr20I9bx2FTAcsRkdaQQHeivHwGqwVjXWTAlbMITWtxH6HbidPot pIYc166c8F43H0FIyC18dluxs1+I6W+WOwbGAOwC0kYCs2Cy1jPzUlXVq71CljrU9j5M5fc/9Qnw3 j8MCJoyQG5+OskmhpW64IEm4; Received: from muradm by localhost with local (Exim 4.96) (envelope-from ) id 1oJXgy-0003yr-2D for bug-guix@gnu.org; Thu, 04 Aug 2022 13:03:00 +0300 User-agent: mu4e 1.8.7; emacs 29.0.50 From: muradm Date: Thu, 04 Aug 2022 12:45:13 +0300 Message-ID: <87czdg2unf.fsf@muradm.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Received-SPF: pass client-ip=139.162.159.157; envelope-from=mail@muradm.net; helo=nomad-cl1.muradm.net X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1659607475; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:list-id:list-help:list-unsubscribe:list-subscribe: list-post:dkim-signature; bh=FXsQCo4n3WuhprTQ6Nk9NsXYsLr5Up3oa/nL/7WbZrY=; b=Hlaf8eKhOujCndo5nEzyn1Bh8cV2xddktZ68aDXdZnyYAZM+mS4eX4M4+8KTuQvbvCD7si bvL+0Tv9qAHB+/nSYDjqCGhPcoWfyFKdVO3dRCqdjhaeyycWdwcfU9pqSAeRaD7CeI18kK xTNGPJQfylS5krQl+4HPCDKKbP2rcKKWV/oM0+Q1a3BSunFl9fS5BxMCLfQ0Qzerz7gxh5 IlTRgC9x99Y+iJx6JLGUhc7HzNkvCITr1OWhPoGzcOpfuv7ipxQiuRf8DqyixImRuRoZc5 jxtePKB7DJS6ZF+9PpcBRrpoV2eR2pO4IXB1OOS2d1y3sWi5kwW/Oqt9JJX1fQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1659607475; a=rsa-sha256; cv=none; b=duN4j97ue8q27fklZ6oSAX2afLO1C4xLrGzv0lGMYCgjqfo6ExLMsIShhX3Yqudu6ngKU3 dOXOtjCo6/2q9lcg1XuhXgE67oJg4YVZvFhG2HqGS9ojA8QCWUcdLrV2GKEq3l59sB1ka/ 8ohXxLuOwHwYHqz7bzcaOvkuhJnBSkHGllveo98nUJnf5anbJCTP1f2l1/K4n1s6/PAd/5 35WaK/RMColKTWfQXm4Z7S9U1XdR/9T8WjNnnYdYzbf8+n5jUVkXyIcMs1D7ZkSqgo+yML NJ6IyZKLQEqHniM2bkcqJE9g8IW5J10nPY8+q/2WcsOkemNh7MZ//YYMMD0g6Q== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=muradm.net header.s=mail header.b=Qg4sQasb; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: 0.29 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=muradm.net header.s=mail header.b=Qg4sQasb; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 592FC2EC3D X-Spam-Score: 0.29 X-Migadu-Scanner: scn1.migadu.com X-TUID: 30/ihIhdWIZC --=-=-= Content-Type: text/plain; format=flowed Hi, As per discussion here: https://lists.gnu.org/archive/html/guix-devel/2022-08/msg00020.html Above change reduced permissions of greeter user. While it is ok for greeters that do not talk to seatd, greeters talking to seatd lost access to seatd socket. As result, greeter (e.g. gtkgreet) requiring communication with seatd is failing to start, causing "black screen" behavior on active terminal (switching to the other non seatd related terminal is possible, for manual permissions adjustment as workaround). To address this issue, we need more flexible control over seatd user/group, which creates seatd.sock, and greeter user which connects to seatd.sock. Other distros (Arch for instance) introduced "seat" group. So user which wants to login on system controlled by seatd should be member of that group. However, not all greeters require that, so I decided to make more flexible. Propsed solutions consists of: * 56690 - gnu: seatd-service-type: Should use seat group. With this change, if seatd-service-type is present in the system configuration, "seat" group will be added, and seatd will run as root/seat. Group is configurable, but default is "seat". * 56699 - gnu: greetd-service-type: Add greeter-extra-groups config field. With this change, if user wants to use seatd-service-type with greeter requiring seatd.sock, he can add "seat" group to greeter-extra-groups field. Thanks in advance, muradm --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEESPY5lma9A9l5HGLP6M7O0mLOBeIFAmLrmVQACgkQ6M7O0mLO BeJFohAAr/iwhBTm8Ge6F/u/RRnlewbKP5VcZaU2sR1ck6NqQ27eFU1Zn+ZqUDA9 6tWjCMg/lfpxBt91+V9HOdOQY+3v0Yno6SqkMODYsQFLB8w1LvHAchpJaju43Z21 B84viXLYJHFXKBQvWi9nuH8mB5q7icZ8bmGGqP/SXh7Gf4v1jeKJEHFl4Gmn0SW2 AGu9+rjE9WUlqhEKiYgXvok90WCHu0syBzGD9bpOfOHMvgOFsYLBqP7BSSm84Kso VpT7+6ZB5Xh9De0BCFr4CUInKrSwmNJQEs7ShkXGfPVJHa1AGDSXdTwEURJRHYXZ 8erF9etX4J5Mi0lgT/hST8PCV18E0//le0WXs5PiYYnKfCHp/SmFqEI1aDkiFlEE rCvKLiVedglaaUSxjx6uSSgjk5A1/SAZCFEgrMWlJsduKuXzkUsSyN+Ai/iQGn7I UEqWbApWRXdJrBbviAb5LtokVAelnT9KksXlxXiANLLXUN6xds1IuR/nBZekqi3K YK/U4CSNhv+Bpdd5fgat58t2l9nY23ELAe4IORSPzpmNGEcMHUkadesuaSdaMgZs f0YwGKFQ44KzHYazrcQKwl+RljGggL7MfsUOrK5J0AJscZGLSuDKGYAg9jIoIRtZ s8KvNOcocG5o+/Li1utgPIIYwTROFc1rV7FMrwUIKuypCbTQak4= =fLZ+ -----END PGP SIGNATURE----- --=-=-=--