Re: systemd and local group membership

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On 29/10/12 01:17, Zeke Sulastin wrote:
On Sun, Oct 28, 2012 at 4:26 AM, Dave Morgan
<davemorgan353@xxxxxxxxxxxxxx> wrote:
What are the the technical reasons for group membership breaking
functionality when using systemd?

With a typical desktop use case, systemd-logind's session management
handles the ability to do things like use audio/video via ACLs:

$ ls -l pcmC0D0c
crw-rw----+ 1 root audio 116, 5 Oct 21 13:55 pcmC0D0c

$ getfacl pcmC0D0c
# file: pcmC0D0c
# owner: root
# group: audio
user::rw-
user:zekesulastin:rw-
group::rw-
mask::rw-
other::---

==But, if I login to a different user on another tty ...==

$ getfacl pcmC0D0c
# file: pcmC0D0c
# owner: root
# group: audio
user::rw-
user:cap:rw-
group::rw-
mask::rw-
other::---

==But when I switch back to x on vt1, the acl is set back to
zekesulastin even though cap is still logged in==

Adding a user to a group can cause this process to be subverted -
logind can't manage who is in what group.  (On audio again, in
addition to the multiuser case this can also make it easier for a bad
program to get around dmix/pulse if you use either.)

There ARE still cases where you would want to put the user in a group
(remote logins, jackd iirc, stuff not handled by ACLs if you have such
a device), but for the typical desktop use case it is unnecessary.

This is also why you have to start X on the same tty you logged in to
if you're not using a DM - ck-launch-session was a workaround to that
problem, but this workaround no longer exists.

So does this mean that extending the use of pre-defined groups is deprecated at best, and horribly wrong at worst?

I've got all my music mounted via binds to /mnt/music so mpd can access it without needing to be able to walk the entire filesystem, and I've then added mpd to the audio group so it can access those files. It then outputs to a Pulseaudio via the network hack on the wiki[1].

I haven't had any issues, but this is essentially a single-user machine so I don't need the fast user switching abilities. Though there's no reason why I couldn't create a 'music' group, and change the permissions accordingly, if that is the more "correct" way to do things.

I'm also using groups to allow very restricted non-root system administration; for example, TeXLive is installed in /opt/texlive with root:texlive and 775 permissions.

[1] https://wiki.archlinux.org/index.php/Music_Player_Daemon/Tips_and_Tricks#Local_.28with_separate_mpd_user.29


[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]
  Powered by Linux