From mboxrd@z Thu Jan  1 00:00:00 1970
From: Chris Marusich <cmmarusich@gmail.com>
Subject: Let non-root users use MTP devices (Attempt #2)
Date: Thu, 29 Dec 2016 01:01:19 -0800
Message-ID: <20161229090121.3718-1-cmmarusich@gmail.com>
References: <87mvfggv4k.fsf@gmail.com>
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:43822)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <cmmarusich@gmail.com>) id 1cMWal-0007tx-AY
	for guix-devel@gnu.org; Thu, 29 Dec 2016 04:01:44 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <cmmarusich@gmail.com>) id 1cMWak-0007y4-HQ
	for guix-devel@gnu.org; Thu, 29 Dec 2016 04:01:43 -0500
Received: from mail-pg0-x243.google.com ([2607:f8b0:400e:c05::243]:36520)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <cmmarusich@gmail.com>)
	id 1cMWak-0007xw-Cd
	for guix-devel@gnu.org; Thu, 29 Dec 2016 04:01:42 -0500
Received: by mail-pg0-x243.google.com with SMTP id n5so18358571pgh.3
	for <guix-devel@gnu.org>; Thu, 29 Dec 2016 01:01:42 -0800 (PST)
In-Reply-To: <87mvfggv4k.fsf@gmail.com>
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: guix-devel@gnu.org

Here's a second attempt to fix MTP support for GuixSD.  It's simple and
requires no special group permissions.

It turns out that elogind (like systemd's logind) can be compiled with
support for ACLs (provided by libacl), in which case elogind will
automatically set an ACL on a device file granting access to a user when
that user is logged in using a seat to which the device is attached.  In
short, by adding acl as an input to elogind, users will be able to
access devices without running programs as root, and without being a
member of any special group.

That's just one piece of the puzzle, though.  The other piece is the
udev rules provided by libmtp.  It's necessary to install those udev
rules; if we don't, then the MTP device won't be tagged properly, so
elogind will not set any ACLs for it.  I've chosen to install those
rules by modifying the base services in desktop.scm so that all desktops
will get the rules, not just GNOME; if you know of a better way to
install them, please let me know.

This patch has a happy side effect.  Namely: because elogind is now
setting ACLs, it gives a user access to other devices that are attached
to their seat.  For instance, after this change, I can access /dev/kvm
and /dev/cdrom (and other devices) without being root, and without being
in any special group.  How nice!

-- 
Chris