Hi
I am trying to experiment around replacing the text mode TTYs with usermode
utilities.
While kmscon exists, the problem with it that I see is that it runs as root.
It's most likely so it can run /bin/login as root, and /bin/login is not setuid
I found that doing something like (Can't fit the command in 80 chars, sorry)
systemd-run --setenv XDG_SEAT=$XDG_SEAT --setenv XDG_VTNR=$XDG_VTNR -t /bin/login -p
can work in a way to run /bin/login within a non-privleged terminal emulator,
however authentication is needed to run that command.
(there also seems to be no way to turn off the "press ^] to disconnect" option)
First question:
Is there a supported way to allow a system user account to run one command
without a password prompt with systemd-run? Otherwise I guess I can just make a
setuid binary that calls the systemd-run command...
The second thing: Things like nmtui need a full logind session to be able to
run, and do polkit actions. However on seat0, it seems you need to decide on a
empty TTY to use, which while you can use TTY63, that doesn't seem to be a
'clean' idea.
One interesting workaround that DOES work is loading the vkms driver, adding
the virtual card to a seat called 'seat-vtty' and then starting the login
process on the virtual seat. That allows a full logind session to run and
things like nmtui actually work
modprobe vkms
loginctl attach seat-vtty /sys/devices/platform/vkms/drm/card1
systemd-run --setenv XDG_SEAT=seat-vtty -t /bin/login -p
The fake video card device being added forces logind to create the seat-vtty
seat. From that login prompt, I can log in and have polkit work, testing with
nmtui. It's a bit odd having to use a virtual hardware device to make a fake
seat, but it works to get around the TTY restriction for seat0...
Thanks
_______________________________________________
systemd-devel mailing list
systemd-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Running pam-enabled /bin/login sessions in unprivileged terminal emulators
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Running pam-enabled /bin/login sessions in unprivileged terminal emulators
- From: nerdopolis <bluescreen_avenger@xxxxxxxxxxx>
- Date: Sun, 16 May 2021 19:41:30 -0400
- References: <2291865.hSSCN3l8V1.ref@nerdopolis>
- Follow-Ups:
- Re: Running pam-enabled /bin/login sessions in unprivileged terminal emulators
- From: Lennart Poettering
- Re: Running pam-enabled /bin/login sessions in unprivileged terminal emulators
- From: nerdopolis
- Re: Running pam-enabled /bin/login sessions in unprivileged terminal emulators
- Prev by Date: Re: Need help to debug TAG-= rule
- Next by Date: manually lading kernel modules and have created /dev/* in container?
- Previous by thread: Need help to debug TAG-= rule
- Next by thread: Re: Running pam-enabled /bin/login sessions in unprivileged terminal emulators
- Index(es):
 |