Re: [multiseat] How to make automatic ACL creation via udev "uaccess" tag work for seats other than seat0?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 31.08.2023 19:22, Christian Pernegger wrote:
Hello,

still trying to get the kinks out of my multiseat setup ...

AFAICT the proper way to give local users access to devices nowadays
is via udev and the "uaccess" tag: devices with this tag set should
automagically get an ACL entry that gives access to users with active
sessions. This works brilliantly for seat0, but not for seat1 (and
above, I presume).

E.g.
P: /devices/virtual/misc/rfkill
N: rfkill
L: 0
E: DEVPATH=/devices/virtual/misc/rfkill
E: SUBSYSTEM=misc
E: DEVNAME=/dev/rfkill
E: MAJOR=10
E: MINOR=242
E: USEC_INITIALIZED=954210
E: SYSTEMD_WANTS=systemd-rfkill.socket
E: TAGS=:systemd:uaccess:seat:shared:
E: CURRENT_TAGS=:systemd:uaccess:seat:shared:


There is no ID_SEAT, so this device belongs to seat0 by default.

At login screens:
# file: dev/rfkill
# owner: root
# group: root
user::rw-
user:gdm:rw- # *** [my emph.]
group::rw-
mask::rw-
other::rw-

Logged in on seat0:
At login screens:
# file: dev/rfkill
# owner: root
# group: root
user::rw-
user:chris:rw- # *** ["switches" to user]
group::rw-
mask::rw-
other::rw-

Logged in on seat1 instead:
# file: dev/rfkill
# owner: root
# group: root
user::rw-
user:gdm:rw- # *** [sticks to gdm]
group::rw-
mask::rw-
other::rw-


This device belongs to seat0, so it is ignored when requested to change permissions for seat1.

The GNOME BT control panel doesn't work unless the logged-in user has
write access to /dev/rfkill, which is how I originally came across
this.
But it's the same for the /dev/dri/renderD* devices. The seat to which
the matching card belongs has access some other way, but the other
seat does not; if you do give both seats access, both can use both
cards in vulkan applications, for example. I see there are other files
under /dev that have the ACL "+", looks like it's the same for them.
(I wonder if that's why I can't switch virtual consoles on seat1 even
though fbcon is mapped to that.)

Anyway, I know I can just override the permissions or use the old
group way of doing things, but I'd prefer to fix things properly. The
symptoms of wrong device permissions can be insidious.


You need to assign your device to the correct seat.



[Index of Archives]     [LARTC]     [Bugtraq]     [Yosemite Forum]     [Photo]

  Powered by Linux