View previous topic :: View next topic |
Author |
Message |
mv Watchman
Joined: 20 Apr 2005 Posts: 6747
|
Posted: Thu May 18, 2023 2:21 pm Post subject: seatd ebuild bug? seat or video ownership |
|
|
Hi,
I am writing, because I observed a strange thing in the sys-auth/seatd ebuild:
It installs /etc/init.d/seatd which effectively calls
(that is, the seatd socket can be accessed only by members of the video group), and it installs /usr/lib/systemd/system/seatd.service which effectively calls
(that is, the seatd socket can be acccesed only by members of the seat group).
The difference and my question are obvious: Is this different behavior under systemd and openrc intentional (a feature?) or a bug?
On the one hand, using seat seems to be intentional, because the ebuild also pulls in the dependency on acct-group/seat.
On the other hand, with the provided service, wayland sessions normally do not work under systemd unless the user is in the seat group. In contrast to the video group, I never read that it is recommended to put "real" users under the seat group, Has this recommendation changed with the introduction of the seat group? If it has changed, then why is the seat group not used in openrc? Or does this recommendation only hold for systemd but not for openrc? Why? |
|
Back to top |
|
|
mv Watchman
Joined: 20 Apr 2005 Posts: 6747
|
Posted: Sat May 20, 2023 1:22 pm Post subject: |
|
|
To answer my own question: According to the discussion preceediing that post, it is probably not a good idea anymore to put any user (besides a login manager) in the video group - this ~20 years old recommendation is probably not valid anymore in the times of wayland.
So it seems to me that seat is the correct group and that the video group in the openrc startup script is the wrong choice.
I checked that if moving the user from the video to the seat group (and changing the openrc script) works.
Note that there is a bug filed, meanwhile. |
|
Back to top |
|
|
Anon-E-moose Watchman
Joined: 23 May 2008 Posts: 6098 Location: Dallas area
|
Posted: Sat May 20, 2023 2:38 pm Post subject: |
|
|
The video group should be accurate because that's the group for the video card (set by *udev)
Code: | find /dev -ls |grep video
1544 0 crw-rw---- 1 root video 29, 0 May 20 01:10 /dev/fb0
1540 0 crw-rw---- 1 root video 226, 0 May 20 06:39 /dev/dri/card0
1539 0 crw-rw---- 1 root video 226, 128 May 20 01:10 /dev/dri/renderD128 |
Systemd sits between the running system and the user, so it can do other things including using the seat group,
which if you're not trying to run and swap between systemd and openrc, you only need your user set for one of the groups.
Edit to add: The bottom line, do whatever you want that makes you feel the most comfortable.
I don't really care what other users decide to do on their system.
The fact that something like systemd exists, is a security problem IMO.
If someone can break into any portion of it, they have a large possibility of owning ones whole system.
To me that kind of keeps the whole worry of what group some user is in, in perspective, but that's just me. _________________ PRIME x570-pro, 3700x, 6.1 zen kernel
gcc 13, profile 17.0 (custom bare multilib), openrc, wayland |
|
Back to top |
|
|
Zucca Moderator
Joined: 14 Jun 2007 Posts: 3342 Location: Rasi, Finland
|
Posted: Sat May 20, 2023 2:59 pm Post subject: |
|
|
Oh boy. I wonder how many guides at the wiki tells people to add their user to video group. _________________ ..: Zucca :..
Gentoo IRC channels reside on Libera.Chat.
--
Quote: | I am NaN! I am a man! |
|
|
Back to top |
|
|
Anon-E-moose Watchman
Joined: 23 May 2008 Posts: 6098 Location: Dallas area
|
Posted: Sat May 20, 2023 3:04 pm Post subject: |
|
|
I'm not sure that end user has to be in the video group, as long as seatd is.
Seatd is just doing things on behalf of the end user, ie video related stuff, along with input, etc.
I remember a time in graphic computing when you needed to be in certain groups or your system wouldn't work
things change over time, and usually things like wiki's are at the bottom of the pile on updating properly. _________________ PRIME x570-pro, 3700x, 6.1 zen kernel
gcc 13, profile 17.0 (custom bare multilib), openrc, wayland |
|
Back to top |
|
|
mv Watchman
Joined: 20 Apr 2005 Posts: 6747
|
Posted: Sat May 20, 2023 3:58 pm Post subject: |
|
|
Anon-E-moose wrote: | The video group should be accurate because that's the group for the video card (set by *udev)
Code: | find /dev -ls |grep video
1544 0 crw-rw---- 1 root video 29, 0 May 20 01:10 /dev/fb0
1540 0 crw-rw---- 1 root video 226, 0 May 20 06:39 /dev/dri/card0
1539 0 crw-rw---- 1 root video 226, 128 May 20 01:10 /dev/dri/renderD128 |
|
That's exactly why I think that the logged-in user should not be in the video group (under wayland; under X it probably does not matter):
If I understand correctly, it means that every user in that group can theoretically see all windows (at least the visible ones) - limiting such things is exactly the security gain you obtain from wayland. Giving that up for nothing is probably not a good idea.
OTOH, putting the user in the seat group is perhaps not that bad (although maybe you can get indirectly access to the card anyway?).
Quote: | Systemd sits between the running system and the user, so it can do other things including using the seat group, |
When I was booting form systemd, I could not log into a wayland session when the compositor only supported seatd. So even if theoretically it perhaps can do it, it does not do this. That's why I came up with the question in the first place: I realized eventually that I could log into a wayland session from openrc but not from systemd anymore.
Quote: | The fact that something like systemd exists, is a security problem IMO. |
I agree, though IMHO the bigger problem is polkit. Anyway, I boot from systemd only for testing or in emergency cases. But it seems to me now that the seat group is a safer default than the video group as there is no reason to grant to user unrestricted access to the whole screen. |
|
Back to top |
|
|
Anon-E-moose Watchman
Joined: 23 May 2008 Posts: 6098 Location: Dallas area
|
Posted: Sat May 20, 2023 4:19 pm Post subject: |
|
|
mv wrote: | If I understand correctly, it means that every user in that group can theoretically see all windows (at least the visible ones) - limiting such things is exactly the security gain you obtain from wayland. Giving that up for nothing is probably not a good idea. |
I've not heard of that being a problem for group video, now group tty, that's a different matter.
Video allows access to the video hardware, not the visible screens, it allows things like accessing the drm master (the main reason X had to run as root)
Edit to add: Keep in mind that most of the groups are for "local" control use not remote.
ETA2: I went looking and it's possible to get the current fb0 buffer (with some magic) by being in the video group
though I'm not sure that it can be used by a remote user, nor how helpful it would be.
But with seatd being in the video group, the need for the user to be there doesn't exist.
Seatd behaves as a neutered systemd, in this case.
All things considered, on my single user system, all of this is just theoretical mumbo-jumbo _________________ PRIME x570-pro, 3700x, 6.1 zen kernel
gcc 13, profile 17.0 (custom bare multilib), openrc, wayland |
|
Back to top |
|
|
CooSee Veteran
Joined: 20 Nov 2004 Posts: 1438 Location: Earth
|
Posted: Sat May 20, 2023 8:04 pm Post subject: |
|
|
output of sway with seatd:
Code: | 00:00:00.012 [DEBUG] [sway/server.c:75] Initializing Wayland server
00:00:00.014 [INFO] [wlr] [libseat] [libseat/libseat.c:73] Seat opened with backend 'seatd'
00:00:00.014 [INFO] [wlr] [libseat] [libseat/backend/seatd.c:212] Enabling seat
00:00:00.014 [INFO] [wlr] [backend/session/session.c:109] Successfully loaded libseat session
00:00:00.025 [INFO] [wlr] [backend/backend.c:219] Found 1 GPUs
00:00:00.026 [INFO] [wlr] [backend/drm/backend.c:201] Initializing DRM backend for /dev/dri/card0 (amdgpu) |
with only elogind:
Code: | 00:00:00.012 [DEBUG] [sway/server.c:75] Initializing Wayland server
00:00:00.013 [INFO] [wlr] [libseat] [libseat/backend/seatd.c:64] Could not connect to socket /run/seatd.sock: No such file or directory
00:00:00.013 [INFO] [wlr] [libseat] [libseat/libseat.c:76] Backend 'seatd' failed to open seat, skipping
00:00:00.077 [INFO] [wlr] [libseat] [libseat/libseat.c:73] Seat opened with backend 'logind'
00:00:00.077 [INFO] [wlr] [backend/session/session.c:109] Successfully loaded libseat session
00:00:00.090 [INFO] [wlr] [backend/backend.c:219] Found 1 GPUs
00:00:00.090 [INFO] [wlr] [backend/drm/backend.c:201] Initializing DRM backend for /dev/dri/card0 (amdgpu) |
eix -I seatd
Code: | [I] sys-auth/seatd
Available versions: 0.7.0(0/1) 0.7.0-r1(0/1) (**)9999(0/1)*l{xpak:3} {builtin elogind (+)server systemd}
Installed versions: 9999(0/1)*l{xpak:3}(00:52:17 20.05.2023)(builtin elogind server -systemd)
Homepage: https://sr.ht/~kennylevinsen/seatd
Description: Minimal seat management daemon and universal library |
my user groups:
Code: | wheel audio video input users portage seat plugdev |
but, it's confusing anyway !
EDIT:
removed group seat from my user and:
Code: | 00:00:00.012 [INFO] [sway/main.c:376] Starting sway version 1.9-dev-48d6eda3 (May 20 2023, branch 'HEAD')
00:00:00.012 [DEBUG] [sway/server.c:75] Initializing Wayland server
00:00:00.014 [INFO] [wlr] [libseat] [libseat/libseat.c:73] Seat opened with backend 'seatd'
00:00:00.014 [INFO] [wlr] [libseat] [libseat/backend/seatd.c:212] Enabling seat
00:00:00.014 [INFO] [wlr] [backend/session/session.c:109] Successfully loaded libseat session
00:00:00.026 [INFO] [wlr] [backend/backend.c:219] Found 1 GPUs
00:00:00.026 [INFO] [wlr] [backend/drm/backend.c:201] Initializing DRM backend for /dev/dri/card0 (amdgpu) |
so, group seat seems not needed with openrc.
now, i'am more confused _________________ " Die Realität ist eine Illusion, die durch Mangel an ehrlicher Kommunikation entsteht "
---
" Der Mensch ist von Natur aus neugierig, was am Ende übrig bleibt ist die Gier " |
|
Back to top |
|
|
mv Watchman
Joined: 20 Apr 2005 Posts: 6747
|
Posted: Sat May 20, 2023 8:51 pm Post subject: |
|
|
CooSee wrote: | so, group seat seems not needed with openrc.
now, i'am more confused |
The explanation is in my first posting: the openrc init script replaces group seat by group video (which appears more and more wrong to me). |
|
Back to top |
|
|
CooSee Veteran
Joined: 20 Nov 2004 Posts: 1438 Location: Earth
|
Posted: Sat May 20, 2023 9:31 pm Post subject: |
|
|
mv wrote: | CooSee wrote: | so, group seat seems not needed with openrc.
now, i'am more confused |
The explanation is in my first posting: the openrc init script replaces group seat by group video (which appears more and more wrong to me). |
tried without video group - Sway works anyway - for seatd video group is necessary.
with only seat group - Sway works anyway by switching to logind.
will use without seat group from now on.
you are right - now i confused myself even more
_________________ " Die Realität ist eine Illusion, die durch Mangel an ehrlicher Kommunikation entsteht "
---
" Der Mensch ist von Natur aus neugierig, was am Ende übrig bleibt ist die Gier " |
|
Back to top |
|
|
Anon-E-moose Watchman
Joined: 23 May 2008 Posts: 6098 Location: Dallas area
|
Posted: Sat May 20, 2023 10:10 pm Post subject: |
|
|
Seatd needs "-g video" so that it runs in the video group and can handle drm master operations on behalf of the user.
Seatd should be started by /etc/init.d for openrc, not sure about systemd.
The user does not need to be in the video group seatd takes care of that access.
Not sure why the ebuild pulls in acct-group/seat, it doesn't use it.
Code: | $ cat files/seatd.initd
#!/sbin/openrc-run
supervisor=supervise-daemon
command="seatd"
command_args="-g video" |
The only package in portage that even asks for acct-group/seat is the ebuilds for seatd.
Edit to add: The user might need to be in the video group for things like webcams, at least it used to be that way, not sure now.
ETA2: This whole discussion re seatd, is all about wayland, straight xorg (not xwayland) doesn't care about seatd or use it AFAIK.
But you might need to be in the video group for xorg, I don't remember as I quit using xorg over a year ago.
ETA3: The seatd system service comes from the guy who wrote seatd and he says this in the commit comment
Quote: | "video" was used for convenience in the example, but a dedicated group is preferable so that a user does not gain the ability to bypass the seat manager and open devices directly. |
Which doesn't make sense, as seatd being in a certain group doesn't make me (the user) in that group, nor give me the ability to bypass seatd and access the device directly. Seatd is not started by the user, but by init/systemd ie some root level process. _________________ PRIME x570-pro, 3700x, 6.1 zen kernel
gcc 13, profile 17.0 (custom bare multilib), openrc, wayland |
|
Back to top |
|
|
GDH-gentoo Veteran
Joined: 20 Jul 2019 Posts: 1530 Location: South America
|
Posted: Sun May 21, 2023 12:16 am Post subject: |
|
|
seatd's -g option only controls who can connect to its UNIX domain socket, /run/seatd.sock, and therefore, who can interact with the daemon through libseat, i. e. call libseat_open_seat(), libseat_open_device(), etc.
seatd itself runs as root, so it has no problems with open() and ioctl() calls. Therefore, it does seem correct that the socket have group seat on OpenRC too. _________________
NeddySeagoon wrote: | I'm not a witch, I'm a retired electronics engineer |
Ionen wrote: | As a packager I just don't want things to get messier with weird build systems and multiple toolchains requirements though |
|
|
Back to top |
|
|
Anon-E-moose Watchman
Joined: 23 May 2008 Posts: 6098 Location: Dallas area
|
Posted: Sun May 21, 2023 10:06 am Post subject: |
|
|
Now that I've slept and thought about it a little, you're right GDH.
I knew that seatd ran as root, it get started (on my system) by /etc/init.d/seatd, thus runs as root.
I just didn't think through completely on the -u -g options.
Then I agree, for security (small though it be) group seat is better.
Not that this keeps someone from being in the video group for other reasons. _________________ PRIME x570-pro, 3700x, 6.1 zen kernel
gcc 13, profile 17.0 (custom bare multilib), openrc, wayland |
|
Back to top |
|
|
CooSee Veteran
Joined: 20 Nov 2004 Posts: 1438 Location: Earth
|
Posted: Thu Jun 08, 2023 8:11 pm Post subject: |
|
|
i switch to seatd as default, without removing elogind - just removed from boot startup.
Sway feels snappier - maybe just my imagination.
_________________ " Die Realität ist eine Illusion, die durch Mangel an ehrlicher Kommunikation entsteht "
---
" Der Mensch ist von Natur aus neugierig, was am Ende übrig bleibt ist die Gier " |
|
Back to top |
|
|
Redeeman l33t
Joined: 25 Sep 2003 Posts: 958 Location: Portugal
|
Posted: Wed Jun 21, 2023 10:30 am Post subject: |
|
|
sorry to somewhat go off on a tangent, but what is the permissions actually supposed to be on the renderD* devices?
i run a multiseat system, and I notice that the default permissions udev rules assign the renderD128 and renderD129 is as follows:
crw-rw----+ 1 root video 226, 0 Jun 21 10:57 card0
crw-rw----+ 1 root video 226, 1 Jun 21 10:10 card1
crw-rw-rw- 1 root render 226, 128 Apr 29 01:51 renderD128
crw-rw-rw- 1 root render 226, 129 Apr 29 01:51 renderD129
This doesnt seem right to me? Wouldnt it be appropriate for me to change it to 660, and then do the required dance to have the ACL for the actual seat user be added to the apropriate device (similar to with card devices) ? |
|
Back to top |
|
|
GDH-gentoo Veteran
Joined: 20 Jul 2019 Posts: 1530 Location: South America
|
Posted: Wed Jun 21, 2023 9:55 pm Post subject: |
|
|
Redeeman wrote: | sorry to somewhat go off on a tangent, but what is the permissions actually supposed to be on the renderD* devices? |
eudev sets them to 0666. For systemd, they are configurable through a build system option, that also defaults to 0666. I don't know enough about the kernel's DRM subsystem to know if this is appropriate. _________________
NeddySeagoon wrote: | I'm not a witch, I'm a retired electronics engineer |
Ionen wrote: | As a packager I just don't want things to get messier with weird build systems and multiple toolchains requirements though |
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|