On 29/10/12 01:17, Zeke Sulastin wrote:
On Sun, Oct 28, 2012 at 4:26 AM, Dave Morgan
<davemorgan353@xxxxxxxxxxxxxx> wrote:
What are the the technical reasons for group membership breaking
functionality when using systemd?
With a typical desktop use case, systemd-logind's session management
handles the ability to do things like use audio/video via ACLs:
$ ls -l pcmC0D0c
crw-rw----+ 1 root audio 116, 5 Oct 21 13:55 pcmC0D0c
$ getfacl pcmC0D0c
# file: pcmC0D0c
# owner: root
# group: audio
user::rw-
user:zekesulastin:rw-
group::rw-
mask::rw-
other::---
==But, if I login to a different user on another tty ...==
$ getfacl pcmC0D0c
# file: pcmC0D0c
# owner: root
# group: audio
user::rw-
user:cap:rw-
group::rw-
mask::rw-
other::---
==But when I switch back to x on vt1, the acl is set back to
zekesulastin even though cap is still logged in==
Adding a user to a group can cause this process to be subverted -
logind can't manage who is in what group. (On audio again, in
addition to the multiuser case this can also make it easier for a bad
program to get around dmix/pulse if you use either.)
There ARE still cases where you would want to put the user in a group
(remote logins, jackd iirc, stuff not handled by ACLs if you have such
a device), but for the typical desktop use case it is unnecessary.
This is also why you have to start X on the same tty you logged in to
if you're not using a DM - ck-launch-session was a workaround to that
problem, but this workaround no longer exists.
So does this mean that extending the use of pre-defined groups is
deprecated at best, and horribly wrong at worst?
I've got all my music mounted via binds to /mnt/music so mpd can access
it without needing to be able to walk the entire filesystem, and I've
then added mpd to the audio group so it can access those files. It then
outputs to a Pulseaudio via the network hack on the wiki[1].
I haven't had any issues, but this is essentially a single-user machine
so I don't need the fast user switching abilities. Though there's no
reason why I couldn't create a 'music' group, and change the permissions
accordingly, if that is the more "correct" way to do things.
I'm also using groups to allow very restricted non-root system
administration; for example, TeXLive is installed in /opt/texlive with
root:texlive and 775 permissions.
[1]
https://wiki.archlinux.org/index.php/Music_Player_Daemon/Tips_and_Tricks#Local_.28with_separate_mpd_user.29