From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: Re: Let non-root users use MTP devices (Attempt #2) Date: Thu, 29 Dec 2016 23:48:00 +0100 Message-ID: <871swqe4k6.fsf@gnu.org> References: <87mvfggv4k.fsf@gmail.com> <20161229090121.3718-1-cmmarusich@gmail.com> <871swrf3cm.fsf@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:39697) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cMjUV-0008MW-Mu for guix-devel@gnu.org; Thu, 29 Dec 2016 17:48:08 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cMjUQ-0003qo-PT for guix-devel@gnu.org; Thu, 29 Dec 2016 17:48:07 -0500 In-Reply-To: <871swrf3cm.fsf@gmail.com> (Chris Marusich's message of "Thu, 29 Dec 2016 02:15:37 -0800") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Chris Marusich Cc: guix-devel@gnu.org Chris Marusich skribis: > Chris Marusich writes: > >> Here's a second attempt to fix MTP support for GuixSD. It's simple and >> requires no special group permissions. >> >> It turns out that elogind (like systemd's logind) can be compiled with >> support for ACLs (provided by libacl), in which case elogind will >> automatically set an ACL on a device file granting access to a user when >> that user is logged in using a seat to which the device is attached. In >> short, by adding acl as an input to elogind, users will be able to >> access devices without running programs as root, and without being a >> member of any special group. >> >> That's just one piece of the puzzle, though. The other piece is the >> udev rules provided by libmtp. It's necessary to install those udev >> rules; if we don't, then the MTP device won't be tagged properly, so >> elogind will not set any ACLs for it. I've chosen to install those >> rules by modifying the base services in desktop.scm so that all desktops >> will get the rules, not just GNOME; if you know of a better way to >> install them, please let me know. >> >> This patch has a happy side effect. Namely: because elogind is now >> setting ACLs, it gives a user access to other devices that are attached >> to their seat. For instance, after this change, I can access /dev/kvm >> and /dev/cdrom (and other devices) without being root, and without being >> in any special group. How nice! > > After sending this, I've noticed something odd: sometimes, it can take > quite a while for elogind to set the ACLs. It's a bit of a mystery to > me. I'm not sure how/when elogind decides to update the ACLs; I assumed > it was continuously checking for changes in the hardware or receiving > notifications about hardware changes, but it seems like elogind isn't > noticing when I plug in my phone. Even though the device file shows up, > elogind doesn't set the ACLs unless I do something. > > By "do something," I mean: Apparently, logging out and logging back in > seems to trigger elogind to set the ACLs. Even just switching virtual > terminals (i.e., Control + F1, followed by Control + F7) seems to > trigger it, which is weird. Even when elogind has not yet set the ACLs, > the "uaccess" tag has in fact been correctly set for the device (as > reported by e.g. "udevadm info /dev/libmtp-1-1"), which leads me to > suspect that elogind is either failing to notice or just ignoring the > hardware change. I wonder if this might be a bug of some kind. > > What do you think we should do? Good question! I don=E2=80=99t know. Does this happen only for MTP device= s or also with other things (KVM?)? Does =E2=80=9Cudevadm settle=E2=80=9D trigger the ACL change? Thanks, Ludo=E2=80=99.