From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp11.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id MNijK5sc8GKeywAAbAwnHQ (envelope-from ) for ; Sun, 07 Aug 2022 22:12:11 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp11.migadu.com with LMTPS id 8FOfK5sc8GI7QAAA9RJhRA (envelope-from ) for ; Sun, 07 Aug 2022 22:12:11 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 75DE61014B for ; Sun, 7 Aug 2022 22:12:11 +0200 (CEST) Received: from localhost ([::1]:48984 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1oKmd8-00062J-JA for larch@yhetil.org; Sun, 07 Aug 2022 16:12:10 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:44858) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oKmd0-00060f-VH for guix-patches@gnu.org; Sun, 07 Aug 2022 16:12:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:48607) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1oKmd0-0006JG-MS for guix-patches@gnu.org; Sun, 07 Aug 2022 16:12:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1oKmd0-0006D5-F9 for guix-patches@gnu.org; Sun, 07 Aug 2022 16:12:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#56690] [PATCH] gnu: seatd-service-type: Should use seat group. Resent-From: muradm Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 07 Aug 2022 20:12:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 56690 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Ludovic =?UTF-8?Q?Court=C3=A8s?= , 56690@debbugs.gnu.org Received: via spool by 56690-submit@debbugs.gnu.org id=B56690.165990310123839 (code B ref 56690); Sun, 07 Aug 2022 20:12:02 +0000 Received: (at 56690) by debbugs.gnu.org; 7 Aug 2022 20:11:41 +0000 Received: from localhost ([127.0.0.1]:38355 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oKmce-0006CR-5b for submit@debbugs.gnu.org; Sun, 07 Aug 2022 16:11:40 -0400 Received: from nomad-cl1.staging.muradm.net ([139.162.159.157]:42538 helo=nomad-cl1.muradm.net) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oKmcZ-0006CA-KC for 56690@debbugs.gnu.org; Sun, 07 Aug 2022 16:11:39 -0400 Received: from localhost ([127.0.0.1]:53360) by nomad-cl1.muradm.net with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1oKmbw-0001Y5-13; Sun, 07 Aug 2022 20:10:56 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=muradm.net; s=mail; h=Content-Type:MIME-Version:Message-ID:In-reply-to:Date:Subject:To: From:References:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=Ff/yme9guphm6ecrtkcloFuNGT8j8l2am1pdFoc0kLU=; b=WFj37voyjiGIoEv8g8oOAq8Bp8 PXGWCbpeShggYHZSq+e5ohY8zIKd+lXUE7HLVLuSUXENcqXFHo5CaYwFRHU3S1qofmgLyXdwRStQH HuEKiFFKgYgzsn0UAb4cT0hvG5zDdZaJBCGlc02hQer781fDL51dHKsaJZrWZJWtrXJSf5r9CNT1v 0TSmcqmF5MySzWPn90EpPflu/5D8EvH/2W+Kq7AHRQ1R9y2cAH+fS5454gCcQWUqDlaV19xgAUXwc 14ZXE26O/BlyrS7BhwtOojr1uxJlRC5gjFQe/Qr9G52VbY+lRU/6sECZ0K9zoVfdHcXwJsZ+9E48s VO2obsHuXZVfCP00zRbQzIhhnYU8Y6Yp1m76fmwSQLKkT6FnufNPzKnJrb/Hlh5aJ8+koBiSnv91d oumaN1pUO/wqTB8Qap24pJy4vC3UpLs4bNnL6b08i6O7UWeGi5IQpIJJITja7PrIS/TzxO4NZsZxt gQ7vTeIu1j6/IUzsetFw/BDe; Received: from muradm by localhost with local (Exim 4.96) (envelope-from ) id 1oKmcM-000454-1y; Sun, 07 Aug 2022 23:11:22 +0300 References: <20220722042745.26745-1-mail@muradm.net> <87czdddrra.fsf@gnu.org> <87les00x51.fsf@muradm.net> User-agent: mu4e 1.8.7; emacs 29.0.50 From: muradm Date: Sun, 07 Aug 2022 23:05:29 +0300 In-reply-to: <87les00x51.fsf@muradm.net> Message-ID: <87h72n24ra.fsf@muradm.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="==-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1659903131; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=Ff/yme9guphm6ecrtkcloFuNGT8j8l2am1pdFoc0kLU=; b=B9mxccCip8dUqNtj+1fEEd9I2F8bSFWxzQML8PLZ6tltFdrPZ5MhoQ3vEZpcEG3ELcIFBU ajfTEAQMNBIlDNtlm/O48qNKUDmXNqWAtP4HR0oJ0RaHRbqpN/RQ3V4qwnUG7bX6XQGOeC SpWzLHE3O6ZtENwkCi4LJciKgw+iNNYnGRTbW1274nesDxoImveSSdueRTl3RpCJTs2wFj owtwAdxfa0pTB77rYPyAsKNh+jTKUNDU7+OGWwHwKtn2bIaASQOfzY9UZ7Vxdc8FXkCl/g /FYqalSOYen2G6hO3bqH6nft54dMVJExztZHXyjNfTk2x6FnQTnEFesr9vQqNg== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1659903131; a=rsa-sha256; cv=none; b=fVlp8Gqk9QgSSc+6pdI9fz+7NVONi30FmRCA0nh4X6bpX351Gn/kK1cI0Jsi+eKYqse2aE i1+Bwv6uRYgE11Fr38uaP85icldCjMMcQShz2H+22qDnUTdt5HjGjBkv71tbXq6HqQNHU4 qfllFPD3alfPWlouQQk9/Pum8Hi7mjLYJnjkNWf0cGbeelVN7bMJIbWk6gmqjiGhQxsiv4 gztellNWFpCNQTsZ1umZTm8uROX4JGvohA8zktOg7kDTruA406Icx2DqnsMnJg7akweW/+ wRSUUflsoc/5cUAcrdPZV98ApsSjVoZ9Oc+e4IpBNfxmQdB46yz9lAHT3XRy+A== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=muradm.net header.s=mail header.b=WFj37voy; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -0.99 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=muradm.net header.s=mail header.b=WFj37voy; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 75DE61014B X-Spam-Score: -0.99 X-Migadu-Scanner: scn0.migadu.com X-TUID: PNtfVSHETcPj --==-=-= Content-Type: multipart/mixed; boundary="=-=-=" --=-=-= Content-Type: text/plain; format=flowed here is updated patch: - group is now correctly configurable - dropped user field as it is mostlikely pointless - group is created if necessary - documentation updated adding mentioning of seatd.sock permissions - adding test case for seatd.sock ownership thanks in advance, muradm --=-=-= Content-Type: text/x-patch; charset=utf-8 Content-Disposition: inline; filename=v2-0001-gnu-seatd-service-type-Should-use-seat-group.patch Content-Transfer-Encoding: quoted-printable Content-Description: v2-0001-gnu-seatd-service-type-Should-use-seat-group.patch From=20edf954714a71ea3c1b8a872df40ed3735dff10f8 Mon Sep 17 00:00:00 2001 From: muradm Date: Fri, 22 Jul 2022 07:09:54 +0300 Subject: [PATCH v2] gnu: seatd-service-type: Should use seat group. To: 56690@debbugs.gnu.org * gnu/services/desktop.scm (seatd-service-type): Uses "seat" group. [extensions]: Added account-service-type with seatd-accounts. (seatd-accounts): Conditionally produces list with "seat" group. (): [user] Drop user field, since it is not going to be used. [group] Change default value to "seat". [existing-group?] Add field which controls if group should be created or not. * doc/guix.texi: Mention that users may need to become members of "seat" group and update default value for group field. Add explanation on seatd.sock file. Remove dropped user field. =2D-- doc/guix.texi | 32 ++++++++++++++++++++++++++++---- gnu/services/desktop.scm | 15 +++++++++++---- gnu/tests/desktop.scm | 9 +++++++++ 3 files changed, 48 insertions(+), 8 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index 21cee4e369..cb896fedb4 100644 =2D-- a/doc/guix.texi +++ b/doc/guix.texi @@ -23139,6 +23139,29 @@ input), without requiring the applications needing= access to be root. %base-services) =20 @end lisp + +@code{seatd} operates over a UNIX domain socket, with @code{libseat} +providing the client-side of the protocol. Then applications dealing +with seat management (e.g. @code{sway}) connects to @code{seatd} via +mentioned socket. + +When seat mamanagement is provided by @code{seatd}, users that acquire +resources provided by @code{seatd} should have permissions to access +its UNIX domain socket. By default, @code{seatd-service-type} provides +``seat'' group. And user should become its member. + +@lisp +(user-account + (name "alice") + (group "users") + (supplementary-groups '("wheel" ;allow use of sudo, etc. + "seat" ;interact with seatd + "audio" ;sound card + "video" ;video devices such as webcams + "cdrom")) ;the good ol' CD-ROM + (comment "Bob's sister")) +@end lisp + @end defvr =20 @deftp {Data Type} seatd-configuration @@ -23148,12 +23171,13 @@ Configuration record for the seatd daemon service. @item @code{seatd} (default: @code{seatd}) The seatd package to use. =20 =2D@item @code{user} (default: @samp{"root"}) =2DUser to own the seatd socket. =2D =2D@item @code{group} (default: @samp{"users"}) +@item @code{group} (default: @samp{"seat"}) Group to own the seatd socket. =20 +@item @code{existing-group?} (default: @samp{#f}) +If group specified in @code{group} field is pre-existing, +or should be created by @code{seatd-service-type}. + @item @code{socket} (default: @samp{"/run/seatd.sock"}) Where to create the seatd socket. =20 diff --git a/gnu/services/desktop.scm b/gnu/services/desktop.scm index 29a3722f1b..9a36927b9f 100644 =2D-- a/gnu/services/desktop.scm +++ b/gnu/services/desktop.scm @@ -13,7 +13,7 @@ ;;; Copyright =C2=A9 2020 Tobias Geerinckx-Rice ;;; Copyright =C2=A9 2020 Reza Alizadeh Majd ;;; Copyright =C2=A9 2021 Brice Waegeneire =2D;;; Copyright =C2=A9 2021 muradm +;;; Copyright =C2=A9 2021, 2022 muradm ;;; ;;; This file is part of GNU Guix. ;;; @@ -1645,8 +1645,8 @@ (define-record-type* seatd-conf= iguration make-seatd-configuration seatd-configuration? (seatd seatd-package (default seatd)) =2D (user seatd-user (default "root")) =2D (group seatd-group (default "users")) + (group seatd-group (default "seat")) + (existing-group? seatd-existing-group? (default #f)) (socket seatd-socket (default "/run/seatd.sock")) (logfile seatd-logfile (default "/var/log/seatd.log")) (loglevel seatd-loglevel (default "info"))) @@ -1660,7 +1660,6 @@ (define (seatd-shepherd-service config) (provision '(seatd elogind)) (start #~(make-forkexec-constructor (list #$(file-append (seatd-package config) "/bin/seatd= ") =2D "-u" #$(seatd-user config) "-g" #$(seatd-group config)) #:environment-variables (list (string-append "SEATD_LOGLEVEL=3D" @@ -1670,6 +1669,13 @@ (define (seatd-shepherd-service config) #:log-file #$(seatd-logfile config))) (stop #~(make-kill-destructor))))) =20 +(define seatd-accounts + (match-lambda + (($ _ group existing-group?) + `(,@(if existing-group? '() (list (user-group + (name group) + (system? #t)))))))) + (define seatd-environment (match-lambda (($ _ _ _ socket) @@ -1683,6 +1689,7 @@ (define seatd-service-type applications needing access to be root.") (extensions (list + (service-extension account-service-type seatd-accounts) (service-extension session-environment-service-type seatd-environment) ;; TODO: once cgroups is separate dependency we should not mount it h= ere ;; for now it is mounted here, because elogind mounts it diff --git a/gnu/tests/desktop.scm b/gnu/tests/desktop.scm index 25971f9225..6fe6ec21be 100644 =2D-- a/gnu/tests/desktop.scm +++ b/gnu/tests/desktop.scm @@ -255,6 +255,15 @@ (define (sock-var-sock var) (socks (map wait-for-unix-socket-m socks))) (and (=3D 2 (length socks)) (every identity socks))))) =20 + (test-equal "seatd.sock ownership" + '("root" "seat") + `(,(marionette-eval + '(passwd:name (getpwuid (stat:uid (stat "/run/seatd.sock")= ))) + marionette) + ,(marionette-eval + '(group:name (getgrgid (stat:gid (stat "/run/seatd.sock"))= )) + marionette))) + (test-assert "greetd is ready" (begin (marionette-type "ps -C greetd -o pid,args --no-headers > ps= -greetd\n" =2D-=20 2.37.1 --=-=-= Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable muradm writes: > [[PGP Signed Part:Undecided]] > > Hi, > > Ludovic Court=C3=A8s writes: > >> Hi, >> >> muradm skribis: >> >>> * gnu/services/desktop.scm (seatd-service-type): Uses "seat"=20 >>> group. >>> [extensions]: Added account-service-type with %seatd-accounts. >>> (%seatd-accounts): List with "seat" group. >>> (): [group] Change default value to=20 >>> "seat". >>> * doc/guix.texi: Mention that users may need to become members=20 >>> of >>> "seat" group and update default value for group field. >> >> I guess I=E2=80=99m missing some context: is this fixing a bug=20 >> currently >> present? (Apologies if this has been discussed elsewhere!) >> > > Not really a bug, but misconfiguration i suppose. Started here=20 > with > commit about month or two ago: > > https://lists.gnu.org/archive/html/guix-devel/2022-08/msg00021.html > > Basically, with original configuration, greeter was in the wheel=20 > group > which allowed it to communicate with seatd over /run/seatd.sock. > >>> +Users which are going to interact with @code{seatd} daemon=20 >>> while >>> logged in >> >> s/which/who/ >> > > With above fix, wheel and other groups were removed. While it=20 > was not > affecting default greeter agretty, some people including me, use > graphical greeter gtkgreet or others based on sway. Then sway=20 > with > greeter started by greetd needs to communicate with seatd. Due=20 > to > the fact of missing permission, greeter just dies with blank=20 > screen. > > So "users which are going to interact" basically users who want > to run sway, or anything else requiring libseat based seat=20 > management > present. > >>> +should be added to @code{seat} group. For instance: >>> + >>> +@lisp >>> +(user-account >>> + (name "alice") >>> + (group "users") >>> + (supplementary-groups '("wheel" ;allow use of sudo, etc. >>> + "seat" ;interact with seatd >>> + "audio" ;sound card >>> + "video" ;video devices such as=20 >>> webcams >>> + "cdrom")) ;the good ol' CD-ROM >>> + (comment "Bob's sister")) >> >> The problem I see with this extra doc is that even I wouldn=E2=80=99t=20 >> know >> how >> to tell whether I=E2=80=99m going to =E2=80=9Cinteract with seatd=E2=80= =9D.=20 >> Fundamentally >> it=E2=80=99s >> not something I really care about. :-) >> >> How could we improve on this? Like, if this is important,=20 >> should it >> be >> the default? >> > > Two options, a) users who want greetd/seatd setup normally=20 > advanced > users wishing to get away from systemd/logind/dbus world, so=20 > they > probably was to be aware of what is going on; b) copy a piece of > documentation from seatd, explaining seatd.sock maybe. Other=20 > than > that I could ask the same question about video, audio etc.=20 > groups :) > >> Thanks, >> Ludo=E2=80=99. > > [[End of PGP Signed Part]] --=-=-=-- --==-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEESPY5lma9A9l5HGLP6M7O0mLOBeIFAmLwHGoACgkQ6M7O0mLO BeJmkA//QE3H6J3iQedDyLmu1cFBisH2s7NsibCTAG1LGwlm1GE0zs8oUfx+mpWv PW/O3X7pYFD4LAHTj5Es2G2pyISSYEmGczLDwe7yJARb0cuHqGkudHWOo5fmktxr mtiMSzvX1OdwqX92ONEIQ3rhahk88i6xBRzEPIg4S4Ojt1PpHuqn+56JGdFAksYh 7/CkPSXW3aUmdkjSqQu+XCqfiCzGWPo9Pd+lBf9lR1DeDB9SsL13oGBVWw+9u9qz XBSidObdXiQgpMSlPbenuWXPc6dbPoYMDAC+6ZxO4WQMny+Raxb+F91gOjYsndB0 ECBsur9g3nnMK/lvl4uKtlsdYph84yhqGEER2wN/ESGB4CpfF0eLML4F1qmbzGI/ ZKnpXkJA2hapfwCoKMXMLQz2cEC3gvC3v5KyBQlFbug8i7pZYO36ak6H+2pgwTlT Hw4P0FyX/fwEXDi99ADMivWbGK4ZuUnLOdhSCDZNHCU+6iBJOuym2AB2QPl7D100 OgewKR+RE7LQWAdLS+SSjXEuvhTwxmp6xcbtHGAmrEg5hn20LQhRrwGEmWC0Zbw9 Cm3qOTTVnwXlZ57Y0GKhJkv/ZGi8qWXLS7D5b9NSXoJ9RdVcXFo1ymv4Ye0xY6FK xD7dnDfIHTJQYmfFKPgfypjfzyB5yTyTTqyf133H3E0yfrrQ86o= =IxW/ -----END PGP SIGNATURE----- --==-=-=--