Message ID | 87mtcezhty.fsf@muradm.net |
---|---|
State | Accepted |
Headers | show |
Series | [bug#56690] gnu: seatd-service-type: Should use seat group. | expand |
Context | Check | Description |
---|---|---|
cbaines/comparison | success | View comparision |
cbaines/git-branch | success | View Git branch |
cbaines/applying patch | success | View Laminar job |
cbaines/issue | success | View issue |
Am Montag, dem 08.08.2022 um 21:50 +0300 schrieb muradm: > > Which user? Closely related, who acquires resources provided by > > @code{seatd}? Just the greeter? A regular user logging in? > > What access level is needed/provided? Read access? Write > > access? > While I understand what you are saying, for me user is fine, and I > can't come up with better description, as my eyes too blurred on > this subject. Anyway for now I specified it as "libseat user". I don't think this really aids us here – it instead lets us ask who is a "libseat user". Perhaps you want to specify "login managers" like greetd or gdm/sddm/etc. explicitly here? Also, (when) do regular users have to be in the seat group? > > > + (group seatd-group (default "seat")) > > > + (existing-group? seatd-existing-group? (default #f)) > > AFAIK this is not necessary. accounts-service-type can handle > > multiple eq? groups, so as long as you're careful with what you put > > into group, you shouldn't get an error. > ok field removed Note ‘eq?’ groups here. In other words, you should be able to take a group (not just a group name) for the group field, sanitize the field so that it will always be a group, and then use that group in seatd- accounts (see the second option mentioned in <79341a82bf9cd5fc6c2227255095f3fe2927dcbe.camel@ist.tugraz.at>). If for instance instead of seat, you wanted the video group, you would have to take the one from %base-groups, rather than creating a new one. Cheers
Liliana Marie Prikler <liliana.prikler@ist.tugraz.at> writes: > Am Montag, dem 08.08.2022 um 21:50 +0300 schrieb muradm: >> > Which user? Closely related, who acquires resources provided >> > by >> > @code{seatd}? Just the greeter? A regular user logging in? >> > What access level is needed/provided? Read access? Write >> > access? >> While I understand what you are saying, for me user is fine, >> and I >> can't come up with better description, as my eyes too blurred >> on >> this subject. Anyway for now I specified it as "libseat user". > I don't think this really aids us here – it instead lets us ask > who is > a "libseat user". Perhaps you want to specify "login managers" > like > greetd or gdm/sddm/etc. explicitly here? Also, (when) do > regular users > have to be in the seat group? There is no such specification as login manager or what ever. User is any one/thing acquiring resources via seat management. It is perfectly fine to run mingetty, login into bash and from command line start sway that will use libseat to acquire video for instance. Who is user here? There is also no display manager as it was before. Please see my explanation to unmatched-paren: https://debbugs.gnu.org/cgi/bugreport.cgi?msg=46;bug=56690 What is sway in this usecase, it is not a user (like you or me), it is not a display manager (as gdm, sddm etc.). It is just application requiring video card (not only) resource, which it instead of having exclusive root access, uses libseat to acquire it in "seat managy" way. And greetd does/should not care about seatd/libseat until it is not required to acquire resources in "seat managy" way. Instead it is a greeter which is totatly customizable, could be even a bash script or small suckless-like application or else. This is the point of seatd I suppose, to do one thing only without enforcing on who should do what. Thus, none of your proposals are suitable, and I can't come up with something better than "seat management user" or "libseat user". However in my opinion, the one who commits into such setup, should be aware of what is seatd libseat and how, why to interact with it. >> > > + (group seatd-group (default "seat")) >> > > + (existing-group? seatd-existing-group? (default #f)) >> > AFAIK this is not necessary. accounts-service-type can >> > handle >> > multiple eq? groups, so as long as you're careful with what >> > you put >> > into group, you shouldn't get an error. >> ok field removed > Note ‘eq?’ groups here. In other words, you should be able to > take a > group (not just a group name) for the group field, sanitize the > field > so that it will always be a group, and then use that group in > seatd- > accounts (see the second option mentioned in > <79341a82bf9cd5fc6c2227255095f3fe2927dcbe.camel@ist.tugraz.at>). > If > for instance instead of seat, you wanted the video group, you > would > have to take the one from %base-groups, rather than creating a > new one. Sorry, but I'm not so proficient in english as you. I can only speculate on what is written here. And that reference does not say anything to me, even duck duck go gives single result, it is your message. Could you please be more specific here, and/or provide more useful hyperlink style references. Thanks in advance. > Cheers
Am Dienstag, dem 09.08.2022 um 22:47 +0300 schrieb muradm: > There is no such specification as login manager or what ever. User > is any one/thing acquiring resources via seat management. It is > perfectly fine to run mingetty, login into bash and from command line > start sway that will use libseat to acquire video for instance. Who is > user here? > > There is also no display manager as it was before. Please see my > explanation to unmatched-paren: > https://debbugs.gnu.org/cgi/bugreport.cgi?msg=46;bug=56690 > What is sway in this usecase, it is not a user (like you or me), > it is not a display manager (as gdm, sddm etc.). It is just > application requiring video card (not only) resource, which > it instead of having exclusive root access, uses libseat to > acquire it in "seat managy" way. And greetd does/should not > care about seatd/libseat until it is not required to acquire > resources in "seat managy" way. Instead it is a greeter which > is totatly customizable, could be even a bash script or small > suckless-like application or else. > > This is the point of seatd I suppose, to do one thing only > without enforcing on who should do what. > > Thus, none of your proposals are suitable, and I can't come up > with something better than "seat management user" or "libseat > user". However in my opinion, the one who commits into such > setup, should be aware of what is seatd libseat and how, why to > interact with it. I think you're mixing user and application here, which makes explaining this to others difficult. For instance, GDM is both an application (display manager) and a user launching this application. Likewise for most other display managers. Thus, there is a 1:1 mapping between users and applications. With seatd, from what I understand, there is no such mapping. However, given your description, the following is unclear: Does alice need to be in the seat group to run bash? To run sway? To run sway *only if not having talked to greetd first*? > > > > > + (group seatd-group (default "seat")) > > > > > + (existing-group? seatd-existing-group? (default #f)) > > > > AFAIK this is not necessary. accounts-service-type can > > > > handle > > > > multiple eq? groups, so as long as you're careful with what > > > > you put > > > > into group, you shouldn't get an error. > > > ok field removed > > Note ‘eq?’ groups here. In other words, you should be able to > > take a > > group (not just a group name) for the group field, sanitize the > > field > > so that it will always be a group, and then use that group in > > seatd- > > accounts (see the second option mentioned in > > <79341a82bf9cd5fc6c2227255095f3fe2927dcbe.camel@ist.tugraz.at>). > > If > > for instance instead of seat, you wanted the video group, you > > would > > have to take the one from %base-groups, rather than creating a > > new one. > Sorry, but I'm not so proficient in english as you. I can only > speculate on what is written here. And that reference does not > say anything to me, even duck duck go gives single result, it is > your message. Could you please be more specific here, and/or > provide more useful hyperlink style references. Thanks in advance. I'll explain it in terms of lisp: (define seat1 (user-group (name "seat") (system #t)) (define seat2 (user-group (name "seat") (system #t)) (operating-system (groups (list seat1 seat1))) ; works, eq? (operating-system (groups (list seat2 seat2))) ; works, eq? (operating-system (groups (list seat1 seat2))) ; doesn't work For field sanitizers, see define-record-type*. Cheers
Liliana Marie Prikler <liliana.prikler@ist.tugraz.at> writes: > Am Dienstag, dem 09.08.2022 um 22:47 +0300 schrieb muradm: >> There is no such specification as login manager or what ever. >> User >> is any one/thing acquiring resources via seat management. It is >> perfectly fine to run mingetty, login into bash and from >> command line >> start sway that will use libseat to acquire video for instance. >> Who is >> user here? >> >> There is also no display manager as it was before. Please see >> my >> explanation to unmatched-paren: >> https://debbugs.gnu.org/cgi/bugreport.cgi?msg=46;bug=56690 >> What is sway in this usecase, it is not a user (like you or >> me), >> it is not a display manager (as gdm, sddm etc.). It is just >> application requiring video card (not only) resource, which >> it instead of having exclusive root access, uses libseat to >> acquire it in "seat managy" way. And greetd does/should not >> care about seatd/libseat until it is not required to acquire >> resources in "seat managy" way. Instead it is a greeter which >> is totatly customizable, could be even a bash script or small >> suckless-like application or else. >> >> This is the point of seatd I suppose, to do one thing only >> without enforcing on who should do what. >> >> Thus, none of your proposals are suitable, and I can't come up >> with something better than "seat management user" or "libseat >> user". However in my opinion, the one who commits into such >> setup, should be aware of what is seatd libseat and how, why to >> interact with it. > I think you're mixing user and application here, which makes > explaining > this to others difficult. For instance, GDM is both an > application > (display manager) and a user launching this application. > Likewise for > most other display managers. Thus, there is a 1:1 mapping > between > users and applications. I don't think that I miss, instead I intend to generalize as much as possible. I suppose it is better to say, seat management can be used by anyone or anything where greeter would be an example of anything, and logged in user an example of anyone. > With seatd, from what I understand, there is no such mapping. > However, > given your description, the following is unclear: > Does alice need to be in the seat group to run bash? Alice needs to be in seat group if any application and/or script is going to be using libseat for acquiring resources in "seat managy" way, in order to have access to seatd.sock. > To run sway? Since sway is aciqyuring resources using libseat in "seat managy" way, then Alice will have to be in seat group to access seatd.sock. > To run sway *only if not having talked to greetd first*? greetd is unrelated here, as greetd by it self is not acquiring resources in "seat managy" way. Currently no greeter for greetd also talks via libseat to seatd _directly_. But special case of gtkgreet which requires wayland compositor, which is sway, creates indirect relation of "seat managy" resources acquisiion using libseat. This indirect relation requiring user of greeter to be a member of seat group. >> > > > > + (group seatd-group (default "seat")) >> > > > > + (existing-group? seatd-existing-group? (default #f)) >> > > > AFAIK this is not necessary. accounts-service-type can >> > > > handle >> > > > multiple eq? groups, so as long as you're careful with >> > > > what >> > > > you put >> > > > into group, you shouldn't get an error. >> > > ok field removed >> > Note ‘eq?’ groups here. In other words, you should be able >> > to >> > take a >> > group (not just a group name) for the group field, sanitize >> > the >> > field >> > so that it will always be a group, and then use that group in >> > seatd- >> > accounts (see the second option mentioned in >> > <79341a82bf9cd5fc6c2227255095f3fe2927dcbe.camel@ist.tugraz.at>). >> > If >> > for instance instead of seat, you wanted the video group, you >> > would >> > have to take the one from %base-groups, rather than creating >> > a >> > new one. >> Sorry, but I'm not so proficient in english as you. I can only >> speculate on what is written here. And that reference does not >> say anything to me, even duck duck go gives single result, it >> is >> your message. Could you please be more specific here, and/or >> provide more useful hyperlink style references. Thanks in >> advance. > I'll explain it in terms of lisp: > > (define seat1 (user-group (name "seat") (system #t)) > (define seat2 (user-group (name "seat") (system #t)) > (operating-system (groups (list seat1 seat1))) ; works, eq? > (operating-system (groups (list seat2 seat2))) ; works, eq? > (operating-system (groups (list seat1 seat2))) ; doesn't work > > For field sanitizers, see define-record-type*. I know how eq? works. I don't understand what do you want me to do with service configuration. > Cheers
From e733977a5cbd2bb34cf129908b16a4a0af830f02 Mon Sep 17 00:00:00 2001 From: muradm <mail@muradm.net> Date: Fri, 22 Jul 2022 07:09:54 +0300 Subject: [PATCH v3] gnu: seatd-service-type: Should use seat group. To: 56690@debbugs.gnu.org * gnu/services/desktop.scm (seatd-service-type): Uses "seat" group. [extensions]: Added account-service-type with seatd-accounts. (seatd-accounts): Conditionally produces list with "seat" group. (<seatd-configuration>): [user] Removed user field, since it is not going to be used. [group] Change default value to "seat". * doc/guix.texi: Mention that users may need to become members of "seat" group and update default value for group field. Add explanation on seatd.sock file. Remove dropped user field. --- doc/guix.texi | 29 +++++++++++++++++++++++++---- gnu/services/desktop.scm | 14 +++++++++----- gnu/tests/desktop.scm | 9 +++++++++ 3 files changed, 43 insertions(+), 9 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index 9a6a5c307d..92701fca10 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -23171,6 +23171,30 @@ input), without requiring the applications needing access to be root. %base-services) @end lisp + +@code{seatd} operates over a UNIX domain socket, with @code{libseat} +providing the client-side of the protocol. Then applications dealing +with seat management (e.g. @code{sway}) connects to @code{seatd} via +mentioned socket. + +When seat management is provided by @code{seatd}, @code{libseat} users +that acquire resources provided by @code{seatd} should have permissions +to access its UNIX domain socket. By default, @code{seatd-service-type} +provides ``seat'' group. And @code{libseat} user should become its +member. + +@lisp +(user-account + (name "alice") + (group "users") + (supplementary-groups '("wheel" ;allow use of sudo, etc. + "seat" ;interact with seatd + "audio" ;sound card + "video" ;video devices such as webcams + "cdrom")) ;the good ol' CD-ROM + (comment "Bob's sister")) +@end lisp + @end defvr @deftp {Data Type} seatd-configuration @@ -23180,10 +23204,7 @@ Configuration record for the seatd daemon service. @item @code{seatd} (default: @code{seatd}) The seatd package to use. -@item @code{user} (default: @samp{"root"}) -User to own the seatd socket. - -@item @code{group} (default: @samp{"users"}) +@item @code{group} (default: @samp{"seat"}) Group to own the seatd socket. @item @code{socket} (default: @samp{"/run/seatd.sock"}) diff --git a/gnu/services/desktop.scm b/gnu/services/desktop.scm index 29a3722f1b..fbd5a46a06 100644 --- a/gnu/services/desktop.scm +++ b/gnu/services/desktop.scm @@ -13,7 +13,7 @@ ;;; Copyright © 2020 Tobias Geerinckx-Rice <me@tobias.gr> ;;; Copyright © 2020 Reza Alizadeh Majd <r.majd@pantherx.org> ;;; Copyright © 2021 Brice Waegeneire <brice@waegenei.re> -;;; Copyright © 2021 muradm <mail@muradm.net> +;;; Copyright © 2021, 2022 muradm <mail@muradm.net> ;;; ;;; This file is part of GNU Guix. ;;; @@ -1645,8 +1645,7 @@ (define-record-type* <seatd-configuration> seatd-configuration make-seatd-configuration seatd-configuration? (seatd seatd-package (default seatd)) - (user seatd-user (default "root")) - (group seatd-group (default "users")) + (group seatd-group (default "seat")) (socket seatd-socket (default "/run/seatd.sock")) (logfile seatd-logfile (default "/var/log/seatd.log")) (loglevel seatd-loglevel (default "info"))) @@ -1660,7 +1659,6 @@ (define (seatd-shepherd-service config) (provision '(seatd elogind)) (start #~(make-forkexec-constructor (list #$(file-append (seatd-package config) "/bin/seatd") - "-u" #$(seatd-user config) "-g" #$(seatd-group config)) #:environment-variables (list (string-append "SEATD_LOGLEVEL=" @@ -1670,9 +1668,14 @@ (define (seatd-shepherd-service config) #:log-file #$(seatd-logfile config))) (stop #~(make-kill-destructor))))) +(define seatd-accounts + (match-lambda + (($ <seatd-configuration> _ group) + (list (user-group (name group) (system? #t)))))) + (define seatd-environment (match-lambda - (($ <seatd-configuration> _ _ _ socket) + (($ <seatd-configuration> _ _ socket) `(("SEATD_SOCK" . ,socket))))) (define seatd-service-type @@ -1683,6 +1686,7 @@ (define seatd-service-type applications needing access to be root.") (extensions (list + (service-extension account-service-type seatd-accounts) (service-extension session-environment-service-type seatd-environment) ;; TODO: once cgroups is separate dependency we should not mount it here ;; for now it is mounted here, because elogind mounts it diff --git a/gnu/tests/desktop.scm b/gnu/tests/desktop.scm index 25971f9225..6fe6ec21be 100644 --- a/gnu/tests/desktop.scm +++ b/gnu/tests/desktop.scm @@ -255,6 +255,15 @@ (define (sock-var-sock var) (socks (map wait-for-unix-socket-m socks))) (and (= 2 (length socks)) (every identity socks))))) + (test-equal "seatd.sock ownership" + '("root" "seat") + `(,(marionette-eval + '(passwd:name (getpwuid (stat:uid (stat "/run/seatd.sock")))) + marionette) + ,(marionette-eval + '(group:name (getgrgid (stat:gid (stat "/run/seatd.sock")))) + marionette))) + (test-assert "greetd is ready" (begin (marionette-type "ps -C greetd -o pid,args --no-headers > ps-greetd\n" -- 2.37.1