--- Begin Message ---
Subject: |
greeter user permissions are not enough to talk with seatd |
Date: |
Thu, 04 Aug 2022 12:45:13 +0300 |
User-agent: |
mu4e 1.8.7; emacs 29.0.50 |
Hi,
As per discussion here:
https://lists.gnu.org/archive/html/guix-devel/2022-08/msg00020.html
Above change reduced permissions of greeter user.
While it is ok for greeters that do not talk to seatd,
greeters talking to seatd lost access to seatd socket.
As result, greeter (e.g. gtkgreet) requiring communication
with seatd is failing to start, causing "black screen"
behavior on active terminal (switching to the other non seatd
related terminal is possible, for manual permissions
adjustment as workaround).
To address this issue, we need more flexible control over
seatd user/group, which creates seatd.sock, and greeter user
which connects to seatd.sock.
Other distros (Arch for instance) introduced "seat" group.
So user which wants to login on system controlled by seatd
should be member of that group.
However, not all greeters require that, so I decided to make
more flexible. Propsed solutions consists of:
* 56690 - gnu: seatd-service-type: Should use seat group.
With this change, if seatd-service-type is present in the
system configuration, "seat" group will be added, and seatd
will run as root/seat. Group is configurable, but default is
"seat".
* 56699 - gnu: greetd-service-type: Add greeter-extra-groups
config field.
With this change, if user wants to use seatd-service-type with
greeter requiring seatd.sock, he can add "seat" group to
greeter-extra-groups field.
Thanks in advance,
muradm
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Subject: |
Re: greeter user permissions are not enough to talk with seatd |
Date: |
Fri, 26 Aug 2022 19:06:14 +0200 |
User-agent: |
Evolution 3.42.1 |
Am Donnerstag, dem 04.08.2022 um 12:45 +0300 schrieb muradm:
> * 56690 - gnu: seatd-service-type: Should use seat group.
> With this change, if seatd-service-type is present in the
> system configuration, "seat" group will be added, and seatd
> will run as root/seat. Group is configurable, but default is
> "seat".
I made it so that by default the sanitizer is used to turn the string
"seat" into a group and used (ice-9 match), reducing some needless
redundancy. I also reworded the manual to the best of my ability
following our conversations and adapted the commit message.
> * 56699 - gnu: greetd-service-type: Add greeter-extra-groups
> config field.
> With this change, if user wants to use seatd-service-type with
> greeter requiring seatd.sock, he can add "seat" group to
> greeter-extra-groups field.
I fixed some minor issue in the manual and reindented the marionette-
type in the tests, also reworded the commit message.
I didn't get the chance to run the system tests – some timeout causes
the marionette build to fail on my machine – but I verified
independently that at least the seatd socket has the right permissions.
I hope this will be enough for you to get gtkgreet running.
Cheers
--- End Message ---