From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp11.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id IDURK1nH62LJcwEAbAwnHQ (envelope-from ) for ; Thu, 04 Aug 2022 15:19:21 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp11.migadu.com with LMTPS id UFweK1nH62J/aAEA9RJhRA (envelope-from ) for ; Thu, 04 Aug 2022 15:19:21 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 31DC846193 for ; Thu, 4 Aug 2022 15:19:21 +0200 (CEST) Received: from localhost ([::1]:54558 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1oJakx-0003pC-TF for larch@yhetil.org; Thu, 04 Aug 2022 09:19:19 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:47276) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oJac0-0007uY-1y for bug-guix@gnu.org; Thu, 04 Aug 2022 09:10:04 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:33591) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1oJabz-00012w-P1 for bug-guix@gnu.org; Thu, 04 Aug 2022 09:10:03 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1oJabz-0000jP-Jb for bug-guix@gnu.org; Thu, 04 Aug 2022 09:10:03 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#56971: greeter user permissions are not enough to talk with seatd Resent-From: muradm Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Thu, 04 Aug 2022 13:10:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 56971 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Liliana Marie Prikler Cc: control@debbugs.gnu.org, 56971@debbugs.gnu.org Received: via spool by 56971-submit@debbugs.gnu.org id=B56971.16596186022794 (code B ref 56971); Thu, 04 Aug 2022 13:10:03 +0000 Received: (at 56971) by debbugs.gnu.org; 4 Aug 2022 13:10:02 +0000 Received: from localhost ([127.0.0.1]:51570 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oJabx-0000ip-K5 for submit@debbugs.gnu.org; Thu, 04 Aug 2022 09:10:02 -0400 Received: from nomad-cl1.staging.muradm.net ([139.162.159.157]:52448 helo=nomad-cl1.muradm.net) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oJabv-0000iG-Bk; Thu, 04 Aug 2022 09:10:00 -0400 Received: from localhost ([127.0.0.1]:47754) by nomad-cl1.muradm.net with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1oJabL-0000WH-34; Thu, 04 Aug 2022 13:09:23 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=muradm.net; s=mail; h=Content-Type:MIME-Version:Message-ID:In-reply-to:Date:Subject:Cc:To :From:References:Sender:Reply-To:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=EoTFRh1mg+ibNGK4kDejVKqyjYI1neydj5gEU8HtRF4=; b=s8qkTpKn2XCJ6wIhdhbZibepcP 5HFJvrSHeVCxkRB0UnR3LOJljt1YJK7AWSI3FYGL59AGINlph0qKX1Zplmpv3sNflzdCilVd6qK6C zYIPvzYXOCAlS7XrUxXp80Ewp1i2ZpV0vUZ4H2H7qhZe86miM+P7BxAk/0SzOFqUDZaHl6UOoJrkX RsYMI7/hyWDb1T9AL17CsPgZYqeKvBorz8ZoLexr/ExWbsBtIQ0BBilL6ZuGTa+xWFGOayniY3hAZ j9k5igwtSG+GqIcQJh+TexFsnl5P2Odz8iYffCLs4e+BDiXSbetAs3vt5/kXWd03jKcd/VIqjAQAM tUo1r8fYn6JCd1Z4Rr+yF5ASzCAcuCXvSIxfQDREBDBdKh+KWEmqSCz/y4lw21k5JzcymIvdtKgis zQU23vdsDibY9PeGEsZt+K71AWZczfUjT++EHtEd9KI0oygTZr4FidELHIBwEriE2gd2JyCBgouKF SgoZ2MQKxTkZwKvH045mTWZk; Received: from muradm by localhost with local (Exim 4.96) (envelope-from ) id 1oJabm-0004pC-1k; Thu, 04 Aug 2022 16:09:50 +0300 References: <87czdg2unf.fsf@muradm.net> User-agent: mu4e 1.8.7; emacs 29.0.50 From: muradm Date: Thu, 04 Aug 2022 15:52:32 +0300 In-reply-to: Message-ID: <874jys2m01.fsf@muradm.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1659619161; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=EoTFRh1mg+ibNGK4kDejVKqyjYI1neydj5gEU8HtRF4=; b=B7qoJODIU13CxB7GJtCyJmMBvFXNKS6iOsBtG+/wdGsm5oPJpVmmLTX8mjxWjiI5sSpY19 unBGUwaPnCMJEICDSgig4NDQfACONcXzonMZfJxImJCO5wuxawjnu7CQNFOvGI+K3/aokB sDMOZMvrIKDrF5Oj4Ityhkardt2vFtZO7Khk0JJw6h+1bFinimvp/XgggoyJ5/MyipK9bd +2C4+tUaxZ2dKKLHwIXeYUdiGM/PdfjgOsYWKfqfDUWdCag5Q4ENCKbvuVtksN3U0U31WT ossw4ZwoOgWA10yIJ40ek5oC8Jwxr2keuFrNpN+s2wC8zvWciCuRqjQ8WPrrLw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1659619161; a=rsa-sha256; cv=none; b=nSzwkTxs83vVRyH4hvAJKeCQ5BQzoGuf+aNt7emN/L2D7gLV+7JuekrXGgHPzJGHWLmVlq AsTKMQMRvwZV2I9CDJaG222Pb0li8by1Q1P8PJbdp+wSMDKapZFIs5Fo5rfUBK4yLaFIO7 r031roq0hu7ds5Y/kXu28VUmChFvHULVvtyTiogcMjBsM4EIu4nST+rt4bl2td67rSrHhf BKYUaiMAnyK1z/WwOduf4cpoIgfM5P2JfTTkLHDt5V1156tG6Sv6aFD2OPddqFoPwV4IQq AYxDzo3fbE5Fxv0oQy9CW4VdrEN4sX2BpSC8fXdoQ1nPF6uUpNQgMGj7KEWwMQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=muradm.net header.s=mail header.b=s8qkTpKn; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -1.01 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=muradm.net header.s=mail header.b=s8qkTpKn; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 31DC846193 X-Spam-Score: -1.01 X-Migadu-Scanner: scn1.migadu.com X-TUID: NWbWh1kR9Nur --=-=-= Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable Liliana Marie Prikler writes: > block 56971 by 56690 56699 > thanks > > Hi muradm, Hi Liliana, > Am Donnerstag, dem 04.08.2022 um 12:45 +0300 schrieb muradm: >> [...] greeter (e.g. gtkgreet) requiring communication >> with seatd is failing to start, causing "black screen" >> behavior on active terminal (switching to the other non seatd >> related terminal is possible, for manual permissions >> adjustment as workaround). >> >> To address this issue, we need more flexible control over >> seatd user/group, which creates seatd.sock, and greeter user >> which connects to seatd.sock. > Okay. > >> However, not all greeters require that, so I decided to make >> more flexible. > Flexibility for its own sake is not always the right solution.=20 > On the > other hand, looking at the two patches, it appears they are to=20 > be used > in combination? > No, technically they are not strongly dependent on each other, could be applied one after another in no particular order. After both are applied, in cooperation they address this issue. >> Propsed solutions consists of: >> >> * 56690 - gnu: seatd-service-type: Should use seat group. >> With this change, if seatd-service-type is present in the >> system configuration, "seat" group will be added, and seatd >> will run as root/seat. Group is configurable, but default is >> "seat". > Why just the group and no user? Is it not possible to launch=20 > seatd as > non-root? seatd provides a way for display servers to access input/output=20 devices without having to be root. So seatd it self has to run as root. When seatd opening socket as root/seat, all members of seat would be able to communicate with it. Also socket could be opened with seat/seat for instance, but there is no specific point in doing=20 so. Will be one more unused system user around. Arch seems to follow similar way, root/seat is ok for socket. Also will signal that seatd is running as root. >> * 56699 - gnu: greetd-service-type: Add greeter-extra-groups >> =C2=A0 config field. >> With this change, if user wants to use seatd-service-type with >> greeter requiring seatd.sock, he can add "seat" group to >> greeter-extra-groups field. > Note that you still have a TODO on that patch. That TODO is from the initial commit, it is about cgroup file system mounting, and totally out of scope of this issue. > Cheers Thanks in advance --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEESPY5lma9A9l5HGLP6M7O0mLOBeIFAmLrxR4ACgkQ6M7O0mLO BeIiCA/+Ih2VS0QORe/ZLten/R8BQ/UczQtURdpatoidf55hTP3Kd/AE5xLWRw8U fUEjCsbEOSJQlZ92BmXcH6gSQenGBsL1p6xtKjm5rEdzza6dYEdeePI8oNzd7/Jf QkmY/Yt7MbJ6Oi5db1fSTDhyQk8d+YIYNNrXSFpvjGnmFdwuN53rCw47V6nJSQ5U +mQp4ypkZMh6BPwJH4CBjBP2pWmXI/X5Jn/lW92CbIRrH/CFnRlj/OWFnjJzbSef 4uciS0XeGkFQnVAxAgRl5DMEjESrx8dJL0cOLzu8h0c2k7l1fU2hG71ugn1fEnij na0zeWElfwAaXSIpHiftCwa0aKHsepm1gDuwWjkOzyV5lGr3zopFkRE0Mcuf1JUn jmm2Vc9rb0eQBLa46X6pkwZKRho3tzE+BxP64wvrUlFzhaRHKF5brquseqLQL7WU 0RUgAXm66f3OkJHQAiI8vmwKB7JlqHfOp8bDvVaTrkkEBMaSqWOerT80MOl5P8QV rKGgzS8dw+vT7ilGG+hfj4rVfY9fF8IEzXFusKJPfE3MuCDSkD2BySs0ZR87fHil 9JbOcsiDDXAJEoaJ5WuVzpcee6Ux0i6ZIIad/B3cdqA73P9cbV1gI4yvvYCD/Nq0 gXKl2T2uWLAwnVBtKEA1WclVNnRdR8v8j8r0KZkVVLhB/RknmG8= =ExNC -----END PGP SIGNATURE----- --=-=-=--