| joerg | rwp: ((set -e then the control flow)) got a pointer | 05:40 |
|---|---|---|
| joerg | ? | 05:41 |
| rwp | joerg, http://mywiki.wooledge.org/BashFAQ/105 | 07:21 |
| joerg | thanks | 07:28 |
| Alverstone | If somebody uses elogind and managed to get Xorg running without root privileges and without adding yourself to video/input groups, please let me know. | 09:19 |
| rrq | Xorg uses /dev/dri/card0 which thus the user running Xorg need to have access rights for | 10:07 |
| rrq | the group "video" is the customary way of achieving that | 10:08 |
| rrq | input devises are mediated by seatd or logind; and seatd interactions are via a socket that (in standard setup) also uses group "video" | 10:09 |
| rrq | devices | 10:09 |
| rrq | logind implements the mediation through (system) dbus | 10:10 |
| Alverstone | Excellent. libgudev is broken in excalibur, need to install from daedalus and put on hold | 10:24 |
| Alverstone | figured out by trying udisksd to start | 10:24 |
| Alverstone | 10/10 | 10:24 |
| fsmithred | Is it necessary to have dbus installed to run xorg as user? | 10:32 |
| fsmithred | or elogind? | 10:33 |
| rrq | no. You can use seatd. | 10:33 |
| fsmithred | my nodbus install has seatd but xorg is running as root | 10:33 |
| fsmithred | no display manager if that makes a difference | 10:33 |
| rrq | (doesn't) | 10:35 |
| rrq | (could run as non-root) | 10:35 |
| rrq | note that the user starting Xorg must be owner of the /dev/ttyN concerned | 10:44 |
| rrq | eg. by login; just doing "su - ralph" from a root login is no good | 10:45 |
| fsmithred | my user owns tty1. | 10:48 |
| fsmithred | ran startx to start openbox | 10:48 |
| rrq | that sounds good so far (?) | 10:51 |
| fsmithred | yeah, but xorg is running as root | 10:51 |
| fsmithred | it's excalibur. I'm now upgrading 380 packages. Maybe that'll make a difference. | 10:52 |
| fsmithred | do I need dummy-logind? Does that actually do anything? | 10:52 |
| rrq | no ... sounds like your Xorg as suid bit set | 10:53 |
| fsmithred | can I just change that? | 10:53 |
| rrq | remove that, yes | 10:53 |
| Alverstone | seatd rootless xorg relies on video group, probably also input group. It doesn't make sense. The whole point of rootless xorg is forced privilege separation. implement that in seatd and I'm removing elogind forever | 10:54 |
| rrq | no seatd runs as root service offering input mediation to user in video group (not in input group) | 10:54 |
| Alverstone | seatd can't do the only thing I have ever asked of login daemons: rootless graphics, without any auxiliary groups | 10:54 |
| Alverstone | And yes, you need dbus for rootless xorg under elogind | 10:55 |
| rrq | seatd doesn;t od graphics | 10:55 |
| rrq | it does input device mediation only | 10:55 |
| Alverstone | well, until it can run my xorg the way elogind does, i won't be using it | 10:56 |
| gnarface | what's the problem with the audio/video groups? | 10:56 |
| rrq | logind doesn't do graphics either; only input mediation | 10:56 |
| gnarface | if you don't like them, you're free to alter the udev rules to change the permissions | 10:56 |
| Alverstone | elogind does a good thing here, dunno why people are so resistant to implementing useful features just because they come from systemd | 10:56 |
| gnarface | i mean, it's basic security | 10:56 |
| Alverstone | gnarface, audio/video groups allow unrestricted access to audio/video devices | 10:57 |
| Alverstone | it does not make sense | 10:57 |
| gnarface | it's kinda one of the core complaints against systemd in fact, that it blows away the entire permissions model in the name of convenience | 10:57 |
| Alverstone | elogind nicely manages permissions here | 10:57 |
| Alverstone | the permissions model is broken here. there are no reasons to add users to some arbitrary groups just to just graphics | 10:58 |
| Alverstone | just to run* | 10:58 |
| rrq | the graphics device is operated with ioctls and requires capabilites as well as access; it's not mediated | 10:58 |
| rrq | it has the usual open/close separations between users | 10:59 |
| gnarface | Alverstone: look, you're just wrong, that's all. you are complaining about adding yourself to a group because it gives that group unrestricted access to the whole device class, then you're arguing that the solution is to remove all the restrictions in a blanket fashion, when you should be complaining that it doesn't make your user the owner of the devices for logical continuity... your argument doesn't make sense. | 11:00 |
| gnarface | just chmod your whole /dev/ tree 777 and be done with it | 11:01 |
| Alverstone | gnarface, what do you mean? | 11:01 |
| Alverstone | my solution is elogind, which just gives me the permissions I want :) | 11:01 |
| rrq | elogind does not mediate graphics | 11:02 |
| Alverstone | rrq, seems like it, I just don't understand what you are trying to say | 11:02 |
| rrq | it mediates input device access just the same way as seatd does though with a more roundabout implementation (via dbus) | 11:02 |
| Alverstone | graphics work out of the box iirc, even with no login daemons graphics will start, but input will be broken | 11:03 |
| Alverstone | dunno who manages that | 11:03 |
| rrq | Xorg | 11:04 |
| Alverstone | without root? | 11:04 |
| gnarface | depends on the driver | 11:04 |
| Alverstone | anyway | 11:04 |
| gnarface | as of daedalus though i believe nvidia was the only holdout still requiring Xorg to be suid root | 11:04 |
| gnarface | could be wrong about that | 11:04 |
| gnarface | i thought even they were gonna fix that eventually | 11:04 |
| Alverstone | rrq, why does user have to be in video group for seatd to allow input devices? | 11:05 |
| Alverstone | what's the point? | 11:05 |
| rrq | because the communication socket has that permissions setting | 11:05 |
| Alverstone | from debian wiki: | 11:06 |
| gnarface | (my guess is that it's because it can't figure out which input devices belong to which "seat" without access to the video stack, but i don't use seatd either) | 11:06 |
| Alverstone | video: This group can be used locally to give a set of users access to a video device (like webcam) | 11:06 |
| gnarface | i think seatd is also new with this release | 11:07 |
| Alverstone | with elogind i don't need video group to access video devices iirc | 11:07 |
| rrq | the seatd option is a devuan patch.. (not in debian) | 11:07 |
| Alverstone | need to reboot to test test that though :D | 11:07 |
| Alverstone | gonna take a minute :( | 11:08 |
| Alverstone | video devices work fine without the video group. iirc that must be the responsibility of elogind, because i once tried to access video from an inactive session and hit the wall | 11:24 |
| Alverstone | but users in video group can access video devices always, without restriction | 11:25 |
| Alverstone | gets really broken one you use more than one user | 11:25 |
| Alverstone | once* | 11:25 |
| rrq | afaik it has nothing to do with elogind | 11:25 |
| rrq | rather it's because /dev/dri/card0 has those permissions | 11:27 |
| rrq | sorry I misread | 11:30 |
| rrq | but I'm also not sure which program you talk about now | 11:31 |
| Alverstone | /dev/dri/card0 has 0660/crw-rw---- permissions | 11:33 |
| Alverstone | root:video ownership | 11:33 |
| Alverstone | you can't access it without a login daemon giving you permissions, unless you are a member of the video group | 11:34 |
| Alverstone | rrq, so elogind must handle video devices too | 11:34 |
| Alverstone | couldn't possibly work otherwise | 11:34 |
| rrq | are you running Xorg without being in video group? | 11:35 |
| Alverstone | yes | 11:35 |
| Alverstone | rrq, do you use seatd? | 11:36 |
| rrq | yes | 11:37 |
| Alverstone | `seatd -u root -g seatdadm` and then add a user to seatdadm group. Is it gonna work to launch Xorg without being a member of the video group? | 11:38 |
| rrq | (sorry; sidetracked) .. yes I think so | 11:50 |
| rrq | may depend on the graphics driver though | 11:58 |
| Alverstone | rrq, yep, `seatd -u root -g seatdadm` worked as excepted. Guess I'll stick with seatd then for a while to see how it goes? | 13:35 |
| Alverstone | anyway thank you for explanations | 13:36 |
| Alverstone | release notes and man pages were not helpful here | 13:36 |
| fsmithred | Alverstone, is that with or without elogind? | 13:40 |
| Alverstone | fsmithred, without elogind | 14:00 |
| Alverstone | oh well | 14:01 |
| Alverstone | wait a minute I'll triple check | 14:01 |
| Alverstone | fsmithred, forget it | 14:37 |
| fsmithred | huh? | 14:37 |
| Alverstone | it was elogind after all, I removed it completely and X11 didn't start at all. seat initiated, but video driver failed to open video device. apparently seatd doesn't do anything at all there | 14:40 |
| fsmithred | oh | 14:40 |
| fsmithred | not sure what config I have, lemme check | 14:41 |
| Alverstone | plus udisks2 depends on elogind and i depend on udisks2, so much for my hopes | 14:41 |
| fsmithred | oops. The one that's booted doesn't even have X yet. | 14:42 |
| fsmithred | yeah, well elogind requires dbus and I pinned dbus to -1 on this build. | 14:43 |
| fsmithred | but I can run X wiht startx | 14:43 |
| Alverstone | it runs with root privileges | 14:44 |
| Alverstone | beats me | 14:44 |
| Alverstone | i don't see a point in this, at this point in time graphics should run as regular user | 14:44 |
| rrq | does Xorg run as root? when started by a non-root user? | 14:46 |
| fsmithred | yes | 14:46 |
| fsmithred | here anyway | 14:46 |
| fsmithred | /usr/lib/xorg/Xorg is running as root | 14:46 |
| rrq | so it has suid bit set? | 14:47 |
| fsmithred | maybe because I have needs_root_rights=yes in /etc/X11/Xwrapper.config | 14:47 |
| fsmithred | and I don't have elogind or dbus | 14:47 |
| rrq | can you clear suid bit and try again? | 14:48 |
| fsmithred | how to do? | 14:48 |
| Alverstone | reminder: printscr+alt+r to unraw you keyboard | 14:48 |
| Alverstone | fsmithred, needs_root_rights=no is enough | 14:48 |
| rrq | chmod u-s $file | 14:48 |
| Alverstone | to test | 14:48 |
| Alverstone | rrq, just changing a config value is better imo | 14:49 |
| rrq | no it should not have suuid bit set | 14:49 |
| Alverstone | why/ | 14:49 |
| Alverstone | it doesn't bite afaik | 14:49 |
| rrq | it should not ruun as root unless started by root | 14:49 |
| fsmithred | I don't think it does. Shouldn't I see something like 's' in the ls -l output? | 14:49 |
| rrq | yes | 14:50 |
| fsmithred | I have -rwxr-xr-x on /usr/lib/xorg/Xorg | 14:50 |
| Alverstone | fsmithred, must have s, otherwise how can it run as root? | 14:50 |
| Alverstone | ahh | 14:50 |
| Alverstone | you don't need Xorg | 14:50 |
| Alverstone | Xorg.wrapper | 14:50 |
| Alverstone | Xorg.wrapper is the suid | 14:50 |
| Alverstone | iirc | 14:50 |
| fsmithred | yup. 2 s's. | 14:51 |
| fsmithred | Xorg.wrap | 14:51 |
| rrq | chmod 555 | 14:51 |
| Alverstone | 755 | 14:52 |
| Alverstone | ? | 14:52 |
| fsmithred | all running as user now. Thanks!!! | 14:54 |
| fsmithred | I did chmod u-s | 14:54 |
| rrq | and then user has permissions for /dev/dri/card0 | 14:54 |
| fsmithred | I guess because I'm in the video group | 14:55 |
| fsmithred | and I should keep the setting in Xwapper.config? (nees_root...) | 14:56 |
| rrq | it's now disabled... ineffective setting | 14:57 |
| rrq | i'm not sure if something else looks at it | 14:57 |
| fsmithred | I'll test. Rebooting now because vnc got stupid about caps lock. | 14:59 |
| fsmithred | still works with that line commented | 15:01 |
| Alverstone | video group is better than root imo | 15:03 |
| Alverstone | so congratulations! | 15:04 |
| fsmithred | thanks | 15:04 |
| fsmithred | I was in video group already, so this is definitely an improvement | 15:04 |
| gnarface | fsmithred: doesn't seem like the right way to do that... mine isn't executing Xorg.wrap at all here... | 15:14 |
| gnarface | unless you're using nvidia drivers on that machine and it's another nvidia driver difference | 15:15 |
| fsmithred | no | 15:15 |
| fsmithred | maybe you have something installed that I don | 15:15 |
| fsmithred | t? | 15:15 |
| gnarface | the comments in /etc/X11/Xwrapper.config infer that running "dpkg-reconfigure x11-common" will regenerate it... maybe that'll ask questions? | 15:15 |
| fsmithred | this is a no-dbus build, no elogind no display manager | 15:15 |
| gnarface | i do have dbus here, but not elogind or any other display manager | 15:16 |
| fsmithred | any *kits? | 15:16 |
| gnarface | nope | 15:16 |
| fsmithred | it's squashing a live-iso right now, but I'll play with that later. | 15:17 |
| gnarface | and the only uncommented line in my presumably stock /etc/X11/Xwrapper.config is allowed_users=console | 15:17 |
| fsmithred | yeah, that's all I have now too. I commented out the other line. | 15:18 |
| gnarface | and what's more, this install used to have the nvidia drivers on it, which did use and require the suid wrapper | 15:18 |
| gnarface | i thought what i did to change that was to just remove the xserver-xorg-legacy package, but i see it is still installed | 15:18 |
| gnarface | maybe i dpkg-reconfigured something else related to it though... | 15:19 |
| gnarface | the memory is foggy still | 15:19 |
| gnarface | but i can confirm that whatever it was it certainly did not involve removing the setuid bits on Xorg.wrap | 15:20 |
| gnarface | no polkit or consolekit or elogind | 15:21 |
| gnarface | just dbus and running startx by hand | 15:21 |
| gnarface | not even using seatd actually, it is installed but disabled | 15:22 |
| gnarface | (Xorg complains but works fine) | 15:22 |
| fsmithred | how do you disable seatd? | 15:22 |
| fsmithred | nm, dumb question | 15:23 |
| gnarface | just with the /etc/rc*.d/ symlinks. i doubt that's the key difference though, as i'm pretty sure i had made this change when i switched to the AMD video card | 15:23 |
| gnarface | which i think was sometime before switching to daedalus... | 15:23 |
| gnarface | hmm, now that i say that i'm less sure though... | 15:23 |
| fsmithred | I can try a few things and see what happens | 15:24 |
| gnarface | i feel like the missing key might have been a "dpkg-reconfigure [something]" | 15:24 |
| fsmithred | xserver-xorg | 15:25 |
| fsmithred | been a long time since I've done that | 15:25 |
| gnarface | "dpkg-reconfigure xserver-xorg" - is that what it really was? i only had to do it the one time | 15:39 |
| fsmithred | yeah, I did that with and without -plow and saw nothing | 15:53 |
| fsmithred | I must have run it a bunch of times in the past, because I remembered that option. | 15:54 |
Generated by irclog2html.py 2.17.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!