On Thursday, May 27, 2021 11:33:35 AM EDT Lennart Poettering wrote:
> On Sa, 22.05.21 13:50, Pekka Paalanen (ppaalanen@xxxxxxxxx) wrote:
>
> > All in all, this stack would replace the usual stack where
> > /bin/login runs directly on the TTY of a VT, allowing to use a more
> > featureful terminal, custom display modes, multi-output support,
> > maybe multiple parallel sessions for different users a la fast user
> > switching, and more.
>
> When you say /bin/login do actually intend to say "getty"? what is
> /bin/login good for here? it's a stub that expects you already give it
> a user and it then only asks for a pw. It's the second part of a getty
> pretty much.
>
> We have multiple services that you can instantiate on ttys, for
> example getty@.service (for true VTs), serial-getty@.service (for
> serial ports), container-getty.service (for /dev/console),
> container-getty@.service (for gettys on pseudo TTYs, pretty much).
>
> It appears to me that the right approach for your case is to do what
> container-getty@.service effectively does and instantiate an
> appropriate instance of a template service modelled after it for the
> "other" side of the pty your terminal app allocates.
>
> Instantiating <yourapp>-getty@.service requires privs, but you can use
> polkit to grant that to your terminal app's user. THe polkit auth
> request carries the unit name as additional metadata, hence that
> should be pretty easily done with some minimal polkit JS.
>
> Lennart
>
> --
> Lennart Poettering, Berlin
>
I guess I meant to say getty, but getty ends up calling /bin/login anyway after
resetting the terminal and reading /etc/issue anyway. Or at least I thought.
Interesting I found some simple enough looking samples for granting users the
ability to start one service. Dang, it might not work with Debian's
fraken-polkit-0.105 they still have.
I am able to tweak up a test copy of container-getty@.service,
setting TERM to xterm-256color and doing the XDG_SEAT=seat-vtty workaround so
the logged in session has PAM too, and nmtui doesn't do this
https://i.imgur.com/dt7xAMz.png
so that works.
Something like that is what I was originally looking for, so thanks!
but I will admit, one thing I've come to like about the socat client/server
hing is that if say cage or vte takes a segfault during say an apt-get install,
the running command doesn't die...
_______________________________________________
systemd-devel mailing list
systemd-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: Running pam-enabled /bin/login sessions in unprivileged terminal emulators
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Re: Running pam-enabled /bin/login sessions in unprivileged terminal emulators
- From: nerdopolis <bluescreen_avenger@xxxxxxxxxxx>
- Date: Thu, 27 May 2021 22:25:41 -0400
- In-reply-to: <YK+7zwD1gE3KAXSt@gardel-login>
- References: <2291865.hSSCN3l8V1.ref@nerdopolis> <20210522135009.3c3bdcf7@ferris.localdomain> <YK+7zwD1gE3KAXSt@gardel-login>
- Follow-Ups:
- Re: Running pam-enabled /bin/login sessions in unprivileged terminal emulators
- From: Lennart Poettering
- Re: Running pam-enabled /bin/login sessions in unprivileged terminal emulators
- References:
- Re: Running pam-enabled /bin/login sessions in unprivileged terminal emulators
- From: Pekka Paalanen
- Re: Running pam-enabled /bin/login sessions in unprivileged terminal emulators
- From: Lennart Poettering
- Re: Running pam-enabled /bin/login sessions in unprivileged terminal emulators
- Prev by Date: Re: Running pam-enabled /bin/login sessions in unprivileged terminal emulators
- Next by Date: Re: Running pam-enabled /bin/login sessions in unprivileged terminal emulators
- Previous by thread: Re: Running pam-enabled /bin/login sessions in unprivileged terminal emulators
- Next by thread: Re: Running pam-enabled /bin/login sessions in unprivileged terminal emulators
- Index(es):
 |