bug#56971: greeter user permissions are not enough to talk with seatd

all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed

From: muradm <mail@muradm.net>
To: 56971@debbugs.gnu.org
Subject: bug#56971: greeter user permissions are not enough to talk with seatd
Date: Thu, 04 Aug 2022 12:45:13 +0300	[thread overview]
Message-ID: <87czdg2unf.fsf@muradm.net> (raw)

[-- Attachment #1: Type: text/plain, Size: 1426 bytes --]

Hi,

As per discussion here:
https://lists.gnu.org/archive/html/guix-devel/2022-08/msg00020.html

Above change reduced permissions of greeter user.
While it is ok for greeters that do not talk to seatd,
greeters talking to seatd lost access to seatd socket.
As result, greeter (e.g. gtkgreet) requiring communication
with seatd is failing to start, causing "black screen"
behavior on active terminal (switching to the other non seatd
related terminal is possible, for manual permissions
adjustment as workaround).

To address this issue, we need more flexible control over
seatd user/group, which creates seatd.sock, and greeter user
which connects to seatd.sock.

Other distros (Arch for instance) introduced "seat" group.
So user which wants to login on system controlled by seatd
should be member of that group.

However, not all greeters require that, so I decided to make
more flexible. Propsed solutions consists of:

* 56690 - gnu: seatd-service-type: Should use seat group.
With this change, if seatd-service-type is present in the
system configuration, "seat" group will be added, and seatd
will run as root/seat. Group is configurable, but default is 
"seat".

* 56699 - gnu: greetd-service-type: Add greeter-extra-groups 
  config field.
With this change, if user wants to use seatd-service-type with
greeter requiring seatd.sock, he can add "seat" group to
greeter-extra-groups field.

Thanks in advance,
muradm

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

next             reply	other threads:[~2022-08-04 10:04 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-08-04  9:45 muradm [this message]
2022-08-04 11:08 ` bug#56971: greeter user permissions are not enough to talk with seatd Liliana Marie Prikler
2022-08-04 12:52   ` muradm
2022-08-05  6:11     ` Liliana Marie Prikler
2022-08-05  6:48       ` muradm
2022-08-05  8:04         ` Liliana Marie Prikler
2022-08-07 20:48           ` muradm
2022-08-08  5:54             ` Liliana Marie Prikler
2022-08-26 17:06 ` bug#56690: " Liliana Marie Prikler

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87czdg2unf.fsf@muradm.net \
    --to=mail@muradm.net \
    --cc=56971@debbugs.gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.