bug#56971: closed (greeter user permissions are not enough to talk with seatd)

[GNU bug Tracking System]

Your message dated Fri, 26 Aug 2022 19:06:14 +0200
with message-id <400cf1fed0d340398da6e2e0e32bebdb8fd842ef.camel@gmail.com>
and subject line Re: greeter user permissions are not enough to talk with seatd
has caused the debbugs.gnu.org bug report #56971,
regarding greeter user permissions are not enough to talk with seatd
to be marked as done.

(If you believe you have received this mail in error, please contact
help-debbugs@gnu.org.)


-- 
56971: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=56971
GNU Bug Tracking System
Contact help-debbugs@gnu.org with problems

--- Begin Message --- Subject: greeter user permissions are not enough to talk with seatd Date: Thu, 04 Aug 2022 12:45:13 +0300 User-agent: mu4e 1.8.7; emacs 29.0.50

Hi,

As per discussion here:
https://lists.gnu.org/archive/html/guix-devel/2022-08/msg00020.html

Above change reduced permissions of greeter user.
While it is ok for greeters that do not talk to seatd,
greeters talking to seatd lost access to seatd socket.
As result, greeter (e.g. gtkgreet) requiring communication
with seatd is failing to start, causing "black screen"
behavior on active terminal (switching to the other non seatd
related terminal is possible, for manual permissions
adjustment as workaround).

To address this issue, we need more flexible control over
seatd user/group, which creates seatd.sock, and greeter user
which connects to seatd.sock.

Other distros (Arch for instance) introduced "seat" group.
So user which wants to login on system controlled by seatd
should be member of that group.

However, not all greeters require that, so I decided to make
more flexible. Propsed solutions consists of:

* 56690 - gnu: seatd-service-type: Should use seat group.
With this change, if seatd-service-type is present in the
system configuration, "seat" group will be added, and seatd

will run as root/seat. Group is configurable, but default is "seat".

* 56699 - gnu: greetd-service-type: Add greeter-extra-groups config field.

With this change, if user wants to use seatd-service-type with
greeter requiring seatd.sock, he can add "seat" group to
greeter-extra-groups field.

Thanks in advance,
muradm

signature.asc
Description: PGP signature

--- End Message ---

> --- Begin Message ---
>
>
>
> Subject: 
>
> Re: greeter user permissions are not enough to talk with seatd
>
>
>
>
> Date: 
>
> Fri, 26 Aug 2022 19:06:14 +0200
>
>
>
>
> User-agent: 
>
> Evolution 3.42.1 
>
>
>
>
> Am Donnerstag, dem 04.08.2022 um 12:45 +0300 schrieb muradm:
> > * 56690 - gnu: seatd-service-type: Should use seat group.
> > With this change, if seatd-service-type is present in the
> > system configuration, "seat" group will be added, and seatd
> > will run as root/seat. Group is configurable, but default is 
> > "seat".
> I made it so that by default the sanitizer is used to turn the string
> "seat" into a group and used (ice-9 match), reducing some needless
> redundancy.  I also reworded the manual to the best of my ability
> following our conversations and adapted the commit message.
>
> > * 56699 - gnu: greetd-service-type: Add greeter-extra-groups 
> >   config field.
> > With this change, if user wants to use seatd-service-type with
> > greeter requiring seatd.sock, he can add "seat" group to
> > greeter-extra-groups field.
> I fixed some minor issue in the manual and reindented the marionette-
> type in the tests, also reworded the commit message.
>
> I didn't get the chance to run the system tests – some timeout causes
> the marionette build to fail on my machine – but I verified
> independently that at least the seatd socket has the right permissions.
> I hope this will be enough for you to get gtkgreet running.
>
> Cheers
>
>
> --- End Message ---