[PATCH] gnu: seatd-service-type: Should use seat group.

  • Done
  • quality assurance status badge
Details
5 participants
  • Liliana Marie Prikler
  • Liliana Marie Prikler
  • Ludovic Courtès
  • muradm
  • (
Owner
unassigned
Submitted by
muradm
Severity
normal
M
M
muradm wrote on 22 Jul 2022 06:27
(address . guix-patches@gnu.org)
20220722042745.26745-1-mail@muradm.net
* gnu/services/desktop.scm (seatd-service-type): Uses "seat" group.
[extensions]: Added account-service-type with %seatd-accounts.
(%seatd-accounts): List with "seat" group.
(<seatd-configuration>): [group] Change default value to "seat".
* doc/guix.texi: Mention that users may need to become members of
"seat" group and update default value for group field.
---
doc/guix.texi | 18 +++++++++++++++++-
gnu/services/desktop.scm | 8 ++++++--
2 files changed, 23 insertions(+), 3 deletions(-)

Toggle diff (78 lines)
diff --git a/doc/guix.texi b/doc/guix.texi
index 3c5864ec1a..750ed9b121 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -23151,6 +23151,22 @@ input), without requiring the applications needing access to be root.
%base-services)
@end lisp
+
+Users which are going to interact with @code{seatd} daemon while logged in
+should be added to @code{seat} group. For instance:
+
+@lisp
+(user-account
+ (name "alice")
+ (group "users")
+ (supplementary-groups '("wheel" ;allow use of sudo, etc.
+ "seat" ;interact with seatd
+ "audio" ;sound card
+ "video" ;video devices such as webcams
+ "cdrom")) ;the good ol' CD-ROM
+ (comment "Bob's sister"))
+@end lisp
+
@end defvr
@deftp {Data Type} seatd-configuration
@@ -23163,7 +23179,7 @@ The seatd package to use.
@item @code{user} (default: @samp{"root"})
User to own the seatd socket.
-@item @code{group} (default: @samp{"users"})
+@item @code{group} (default: @samp{"seat"})
Group to own the seatd socket.
@item @code{socket} (default: @samp{"/run/seatd.sock"})
diff --git a/gnu/services/desktop.scm b/gnu/services/desktop.scm
index 29a3722f1b..0d7cd71732 100644
--- a/gnu/services/desktop.scm
+++ b/gnu/services/desktop.scm
@@ -13,7 +13,7 @@
;;; Copyright © 2020 Tobias Geerinckx-Rice <me@tobias.gr>
;;; Copyright © 2020 Reza Alizadeh Majd <r.majd@pantherx.org>
;;; Copyright © 2021 Brice Waegeneire <brice@waegenei.re>
-;;; Copyright © 2021 muradm <mail@muradm.net>
+;;; Copyright © 2021, 2022 muradm <mail@muradm.net>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -1646,7 +1646,7 @@ (define-record-type* <seatd-configuration> seatd-configuration
seatd-configuration?
(seatd seatd-package (default seatd))
(user seatd-user (default "root"))
- (group seatd-group (default "users"))
+ (group seatd-group (default "seat"))
(socket seatd-socket (default "/run/seatd.sock"))
(logfile seatd-logfile (default "/var/log/seatd.log"))
(loglevel seatd-loglevel (default "info")))
@@ -1670,6 +1670,9 @@ (define (seatd-shepherd-service config)
#:log-file #$(seatd-logfile config)))
(stop #~(make-kill-destructor)))))
+(define %seatd-accounts
+ (list (user-group (name "seat") (system? #t))))
+
(define seatd-environment
(match-lambda
(($ <seatd-configuration> _ _ _ socket)
@@ -1683,6 +1686,7 @@ (define seatd-service-type
applications needing access to be root.")
(extensions
(list
+ (service-extension account-service-type (const %seatd-accounts))
(service-extension session-environment-service-type seatd-environment)
;; TODO: once cgroups is separate dependency we should not mount it here
;; for now it is mounted here, because elogind mounts it
--
2.36.1
(
CLO115738RZH.2Q7DHDC619VG6@guix-aspire
Because patches with replies are more likely to be visible: LGTM :)

-- (
L
L
Liliana Marie Prikler wrote on 4 Aug 2022 13:08
Re: greeter user permissions are not enough to talk with seatd
(address . control@debbugs.gnu.org)
b5687a1a3eebc0cce2564634bc4e191cf7abd931.camel@ist.tugraz.at
block 56971 by 56690 56699
thanks

Hi muradm,

Am Donnerstag, dem 04.08.2022 um 12:45 +0300 schrieb muradm:
Toggle quote (9 lines)
> [...] greeter (e.g. gtkgreet) requiring communication
> with seatd is failing to start, causing "black screen"
> behavior on active terminal (switching to the other non seatd
> related terminal is possible, for manual permissions
> adjustment as workaround).
>
> To address this issue, we need more flexible control over
> seatd user/group, which creates seatd.sock, and greeter user
> which connects to seatd.sock.
Okay.

Toggle quote (2 lines)
> However, not all greeters require that, so I decided to make
> more flexible.
Flexibility for its own sake is not always the right solution. On the
other hand, looking at the two patches, it appears they are to be used
in combination?

Toggle quote (7 lines)
> Propsed solutions consists of:
>
> * 56690 - gnu: seatd-service-type: Should use seat group.
> With this change, if seatd-service-type is present in the
> system configuration, "seat" group will be added, and seatd
> will run as root/seat. Group is configurable, but default is
> "seat".
Why just the group and no user? Is it not possible to launch seatd as
non-root?

Toggle quote (5 lines)
> * 56699 - gnu: greetd-service-type: Add greeter-extra-groups
>   config field.
> With this change, if user wants to use seatd-service-type with
> greeter requiring seatd.sock, he can add "seat" group to
> greeter-extra-groups field.
Note that you still have a TODO on that patch.

Cheers
L
L
Liliana Marie Prikler wrote on 5 Aug 2022 10:10
Re: [PATCH] gnu: seatd-service-type: Should use seat group.
79341a82bf9cd5fc6c2227255095f3fe2927dcbe.camel@ist.tugraz.at
Am Freitag, dem 22.07.2022 um 07:27 +0300 schrieb muradm:
Toggle quote (6 lines)
> * gnu/services/desktop.scm (seatd-service-type): Uses "seat" group.
> [extensions]: Added account-service-type with %seatd-accounts.
> (%seatd-accounts): List with "seat" group.
> (<seatd-configuration>): [group] Change default value to "seat".
> * doc/guix.texi: Mention that users may need to become members of
> "seat" group and update default value for group field.
Note, that your current patch adds a little asymmetry. Even if you
configure seatd to use a group different from seat, a (now useless)
seat group will be created.

There are (at least) two possible fixes for this:
1. Disable configuration for the group altogether, marking the field as
deprecated.
2. Change the field into one that accepts a group. Also sanitize the
field so that if a string such as "seat" is provided, it is turned into
a group. Then make seatd-accounts return this group.

Cheers
L
L
Ludovic Courtès wrote on 6 Aug 2022 22:46
Re: bug#56690: [PATCH] gnu: seatd-service-type: Should use seat group.
(name . muradm)(address . mail@muradm.net)(address . 56690@debbugs.gnu.org)
87czdddrra.fsf@gnu.org
Hi,

muradm <mail@muradm.net> skribis:

Toggle quote (7 lines)
> * gnu/services/desktop.scm (seatd-service-type): Uses "seat" group.
> [extensions]: Added account-service-type with %seatd-accounts.
> (%seatd-accounts): List with "seat" group.
> (<seatd-configuration>): [group] Change default value to "seat".
> * doc/guix.texi: Mention that users may need to become members of
> "seat" group and update default value for group field.

I guess I’m missing some context: is this fixing a bug currently
present? (Apologies if this has been discussed elsewhere!)

Toggle quote (2 lines)
> +Users which are going to interact with @code{seatd} daemon while logged in

s/which/who/

Toggle quote (13 lines)
> +should be added to @code{seat} group. For instance:
> +
> +@lisp
> +(user-account
> + (name "alice")
> + (group "users")
> + (supplementary-groups '("wheel" ;allow use of sudo, etc.
> + "seat" ;interact with seatd
> + "audio" ;sound card
> + "video" ;video devices such as webcams
> + "cdrom")) ;the good ol' CD-ROM
> + (comment "Bob's sister"))

The problem I see with this extra doc is that even I wouldn’t know how
to tell whether I’m going to “interact with seatd”. Fundamentally it’s
not something I really care about. :-)

How could we improve on this? Like, if this is important, should it be
the default?

Thanks,
Ludo’.
(
Re: [bug#56690] [PATCH] gnu: seatd-service-type: Should use seat group.
(address . 56690@debbugs.gnu.org)
CLZ8QMN65YQ3.2YI4TMHBJ5MB9@guix-aspire
On Sat Aug 6, 2022 at 9:46 PM BST, Ludovic Courtès wrote:
Toggle quote (3 lines)
> I guess I’m missing some context: is this fixing a bug currently
> present? (Apologies if this has been discussed elsewhere!)

This is one of two patches that fix a problem where any greetd greeter
more complex than agreety hangs on boot, basically rendering greetd
useless. I think the underlying cause is their being unable to connect
to seatd.sock?

At least, that's the symptom I know about. I'm not sure whether there
are others.

-- (
M
M
muradm wrote on 7 Aug 2022 19:28
Re: bug#56690: [PATCH] gnu: seatd-service-type: Should use seat group.
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 56690@debbugs.gnu.org)
87les00x51.fsf@muradm.net
Hi,

Ludovic Courtès <ludo@gnu.org> writes:

Toggle quote (18 lines)
> Hi,
>
> muradm <mail@muradm.net> skribis:
>
>> * gnu/services/desktop.scm (seatd-service-type): Uses "seat"
>> group.
>> [extensions]: Added account-service-type with %seatd-accounts.
>> (%seatd-accounts): List with "seat" group.
>> (<seatd-configuration>): [group] Change default value to
>> "seat".
>> * doc/guix.texi: Mention that users may need to become members
>> of
>> "seat" group and update default value for group field.
>
> I guess I’m missing some context: is this fixing a bug currently
> present? (Apologies if this has been discussed elsewhere!)
>

Not really a bug, but misconfiguration i suppose. Started here
with
commit about month or two ago:


Basically, with original configuration, greeter was in the wheel
group
which allowed it to communicate with seatd over /run/seatd.sock.

Toggle quote (6 lines)
>> +Users which are going to interact with @code{seatd} daemon
>> while logged in
>
> s/which/who/
>

With above fix, wheel and other groups were removed. While it was
not
affecting default greeter agretty, some people including me, use
graphical greeter gtkgreet or others based on sway. Then sway with
greeter started by greetd needs to communicate with seatd. Due to
the fact of missing permission, greeter just dies with blank
screen.

So "users which are going to interact" basically users who want
to run sway, or anything else requiring libseat based seat
management
present.

Toggle quote (25 lines)
>> +should be added to @code{seat} group. For instance:
>> +
>> +@lisp
>> +(user-account
>> + (name "alice")
>> + (group "users")
>> + (supplementary-groups '("wheel" ;allow use of sudo, etc.
>> + "seat" ;interact with seatd
>> + "audio" ;sound card
>> + "video" ;video devices such as
>> webcams
>> + "cdrom")) ;the good ol' CD-ROM
>> + (comment "Bob's sister"))
>
> The problem I see with this extra doc is that even I wouldn’t
> know how
> to tell whether I’m going to “interact with seatd”.
> Fundamentally it’s
> not something I really care about. :-)
>
> How could we improve on this? Like, if this is important,
> should it be
> the default?
>

Two options, a) users who want greetd/seatd setup normally
advanced
users wishing to get away from systemd/logind/dbus world, so they
probably was to be aware of what is going on; b) copy a piece of
documentation from seatd, explaining seatd.sock maybe. Other than
that I could ask the same question about video, audio etc. groups
:)

Toggle quote (2 lines)
> Thanks,
> Ludo’.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEESPY5lma9A9l5HGLP6M7O0mLOBeIFAmLv+ToACgkQ6M7O0mLO
BeKg1BAAlL9PDuhHMyFYW+BzphnqLFw03WLV4lcFJZ9DFVHNOecGvS/O3xpDWBPi
v9l12weJsyfSpKEEmyER2uZGPaHZ/UTvCN6nhB2vrUvSMlIAipnIOVavWzTXq0AW
ZgWzKlCFAa6lcHg+WLkmgv3dTb9LKb66pYPsLonS8FvZ3lSxGCaRH1Z5m2xer4wR
iXjld7nrN3h8WG+iD6nqBk3Lm1Yjd17j/ewuamTuYnyr6oqZilVeIPxCUCd3+u3N
lg9fXzn6LGFO8oNVpgz5sZDDYkSimZ7Ao593gJYmCi/o6fJsqYxmdkUYIEnVxtTA
ArmIjyMRHRgwqG8LKfPmUKNoA0g2QhYjwr/eD9QcGS/X7klSGRwjTUR7H97vKxSE
txNTe1R8XtxhI3FKGGkKscUkKBe0brAm/tE2zaJDAo+9Dvcy20zTOw6wvZzh8ap+
NMoIz+EgqNcXDPkpqKFUAM0ZYeFsN9rGnwP6lpixML5yo1QjLaIJwviq5Y63XvgD
M7Qbt9EjSflA1bZ7F8yIckl70oSfOZjcFYHtWxgqc7bJKxMMG+KPUDGz8tZqCxX4
Dd0rn8LjAyPOsv+DBnEreIEZXYPbeR10cNEnMHKZ4nY9pmmqH2kma4Jbft8nEn/n
yiIWfNIYo622/Ikp3f7BEztiOgcKTir1hCX/MU3a00A5tjUjA3Y=
=fs8Z
-----END PGP SIGNATURE-----

M
M
muradm wrote on 7 Aug 2022 22:05
Re: [bug#56690] [PATCH] gnu: seatd-service-type: Should use seat group.
87h72n24ra.fsf@muradm.net
here is updated patch:
- group is now correctly configurable
- dropped user field as it is mostlikely pointless
- group is created if necessary
- documentation updated adding mentioning of seatd.sock
permissions
- adding test case for seatd.sock ownership

thanks in advance,
muradm
muradm <mail@muradm.net> writes:

Toggle quote (99 lines)
> [[PGP Signed Part:Undecided]]
>
> Hi,
>
> Ludovic Courtès <ludo@gnu.org> writes:
>
>> Hi,
>>
>> muradm <mail@muradm.net> skribis:
>>
>>> * gnu/services/desktop.scm (seatd-service-type): Uses "seat"
>>> group.
>>> [extensions]: Added account-service-type with %seatd-accounts.
>>> (%seatd-accounts): List with "seat" group.
>>> (<seatd-configuration>): [group] Change default value to
>>> "seat".
>>> * doc/guix.texi: Mention that users may need to become members
>>> of
>>> "seat" group and update default value for group field.
>>
>> I guess I’m missing some context: is this fixing a bug
>> currently
>> present? (Apologies if this has been discussed elsewhere!)
>>
>
> Not really a bug, but misconfiguration i suppose. Started here
> with
> commit about month or two ago:
>
> https://lists.gnu.org/archive/html/guix-devel/2022-08/msg00021.html
>
> Basically, with original configuration, greeter was in the wheel
> group
> which allowed it to communicate with seatd over /run/seatd.sock.
>
>>> +Users which are going to interact with @code{seatd} daemon
>>> while
>>> logged in
>>
>> s/which/who/
>>
>
> With above fix, wheel and other groups were removed. While it
> was not
> affecting default greeter agretty, some people including me, use
> graphical greeter gtkgreet or others based on sway. Then sway
> with
> greeter started by greetd needs to communicate with seatd. Due
> to
> the fact of missing permission, greeter just dies with blank
> screen.
>
> So "users which are going to interact" basically users who want
> to run sway, or anything else requiring libseat based seat
> management
> present.
>
>>> +should be added to @code{seat} group. For instance:
>>> +
>>> +@lisp
>>> +(user-account
>>> + (name "alice")
>>> + (group "users")
>>> + (supplementary-groups '("wheel" ;allow use of sudo, etc.
>>> + "seat" ;interact with seatd
>>> + "audio" ;sound card
>>> + "video" ;video devices such as
>>> webcams
>>> + "cdrom")) ;the good ol' CD-ROM
>>> + (comment "Bob's sister"))
>>
>> The problem I see with this extra doc is that even I wouldn’t
>> know
>> how
>> to tell whether I’m going to “interact with seatd”.
>> Fundamentally
>> it’s
>> not something I really care about. :-)
>>
>> How could we improve on this? Like, if this is important,
>> should it
>> be
>> the default?
>>
>
> Two options, a) users who want greetd/seatd setup normally
> advanced
> users wishing to get away from systemd/logind/dbus world, so
> they
> probably was to be aware of what is going on; b) copy a piece of
> documentation from seatd, explaining seatd.sock maybe. Other
> than
> that I could ask the same question about video, audio etc.
> groups :)
>
>> Thanks,
>> Ludo’.
>
> [[End of PGP Signed Part]]
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEESPY5lma9A9l5HGLP6M7O0mLOBeIFAmLwHGoACgkQ6M7O0mLO
BeJmkA//QE3H6J3iQedDyLmu1cFBisH2s7NsibCTAG1LGwlm1GE0zs8oUfx+mpWv
PW/O3X7pYFD4LAHTj5Es2G2pyISSYEmGczLDwe7yJARb0cuHqGkudHWOo5fmktxr
mtiMSzvX1OdwqX92ONEIQ3rhahk88i6xBRzEPIg4S4Ojt1PpHuqn+56JGdFAksYh
7/CkPSXW3aUmdkjSqQu+XCqfiCzGWPo9Pd+lBf9lR1DeDB9SsL13oGBVWw+9u9qz
XBSidObdXiQgpMSlPbenuWXPc6dbPoYMDAC+6ZxO4WQMny+Raxb+F91gOjYsndB0
ECBsur9g3nnMK/lvl4uKtlsdYph84yhqGEER2wN/ESGB4CpfF0eLML4F1qmbzGI/
ZKnpXkJA2hapfwCoKMXMLQz2cEC3gvC3v5KyBQlFbug8i7pZYO36ak6H+2pgwTlT
Hw4P0FyX/fwEXDi99ADMivWbGK4ZuUnLOdhSCDZNHCU+6iBJOuym2AB2QPl7D100
OgewKR+RE7LQWAdLS+SSjXEuvhTwxmp6xcbtHGAmrEg5hn20LQhRrwGEmWC0Zbw9
Cm3qOTTVnwXlZ57Y0GKhJkv/ZGi8qWXLS7D5b9NSXoJ9RdVcXFo1ymv4Ye0xY6FK
xD7dnDfIHTJQYmfFKPgfypjfzyB5yTyTTqyf133H3E0yfrrQ86o=
=IxW/
-----END PGP SIGNATURE-----

M
M
muradm wrote on 7 Aug 2022 22:45
Re: [PATCH] gnu: seatd-service-type: Should use seat group.
(name . Liliana Marie Prikler)(address . liliana.prikler@ist.tugraz.at)(address . 56690@debbugs.gnu.org)
87czdb235b.fsf@muradm.net
Fixed in v2.

Liliana Marie Prikler <liliana.prikler@ist.tugraz.at> writes:

Toggle quote (27 lines)
> Am Freitag, dem 22.07.2022 um 07:27 +0300 schrieb muradm:
>> * gnu/services/desktop.scm (seatd-service-type): Uses "seat"
>> group.
>> [extensions]: Added account-service-type with %seatd-accounts.
>> (%seatd-accounts): List with "seat" group.
>> (<seatd-configuration>): [group] Change default value to
>> "seat".
>> * doc/guix.texi: Mention that users may need to become members
>> of
>> "seat" group and update default value for group field.
> Note, that your current patch adds a little asymmetry. Even if
> you
> configure seatd to use a group different from seat, a (now
> useless)
> seat group will be created.
>
> There are (at least) two possible fixes for this:
> 1. Disable configuration for the group altogether, marking the
> field as
> deprecated.
> 2. Change the field into one that accepts a group. Also
> sanitize the
> field so that if a string such as "seat" is provided, it is
> turned into
> a group. Then make seatd-accounts return this group.
>
> Cheers
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEESPY5lma9A9l5HGLP6M7O0mLOBeIFAmLwJJAACgkQ6M7O0mLO
BeIwyw//buYL8ENOMcvP+iDJLDx3JM7DsDoof4vTp75sLo4KLQoEQaCkqHlWyrxQ
D6UcbU/DMo0JhhbhewsNF8srfLWl6My09Njrp5zYUQA+7Eg4eukT8sanXJK1w2I/
jJKuDaPGqkbIhU7WvkEWb0nraX3L9H4tL7BSIbvJn1P0z/p4zDeYBEtBfwy3rrLa
YPurTpDWtvDshDcrMijSf4JICum2D5GmzacRbcDf20xIwE/NS21sAh48To47du8t
ybShWp9RGVMQNYYyTZoNdIxhNN5cy5RI0Cstex8Vt5Qwk5ekh1XBVbcgjpTzD5jz
JCjzy6metQTSpfJ80Ae+PkL5ie8elRRUW9LfdC+zPGOqr1eUxwr8RleurWOwYnXR
aWub70QiMTCZfKiKKX/azg4ijBiFGqcDcOexGQBxj4ngtwijSe3r4Mb/TFf4r5kE
fMNN8FWIHUcahEjDXifPclZF+A5UxvqMxYqHFj+UbgK2zB/mj5zT4idAW0F32ALG
kyILa42yEQmhZfUQjvccwmX6BqTQXvCGCCU94ifCginRVj5+LStoN6bg8mNHgsZc
Fxv7ES4uT2xmEXQ+CDJvGb1SNIrf56/rVgryCfJc6EdlzL/65SFBQyRZdBQHdxFw
k5s97YVOJ48MG+sEVVy1HtmP3B8H/JRoY2vlTqs5rnGP0CafjMg=
=GnVR
-----END PGP SIGNATURE-----

L
L
Liliana Marie Prikler wrote on 8 Aug 2022 08:08
Re: [bug#56690] [PATCH] gnu: seatd-service-type: Should use seat group.
55a3a3bf118f364b70cbd74d214998955d81eaa9.camel@ist.tugraz.at
Am Sonntag, dem 07.08.2022 um 23:05 +0300 schrieb muradm:

Toggle quote (5 lines)
> * gnu/services/desktop.scm (seatd-service-type): Uses "seat" group.
> [extensions]: Added account-service-type with seatd-accounts.
> (seatd-accounts): Conditionally produces list with "seat" group.
> (<seatd-configuration>):
> [user] Drop user field, since it is not going to be used.
Removed field.
Toggle quote (3 lines)
> [group] Change default value to "seat".
> [existing-group?] Add field which controls if group should be
> created or not.
Would be Added field, but see below.
Toggle quote (6 lines)
> * doc/guix.texi: Mention that users may need to become members of
> "seat" group and update default value for group field. Add
> explanation on seatd.sock file. Remove dropped user field.

> +When seat mamanagement is provided by @code{seatd}, users that
> acquire
management.
Toggle quote (4 lines)
> +resources provided by @code{seatd} should have permissions to access
> +its UNIX domain socket. By default, @code{seatd-service-type}
> provides
> +``seat'' group. And user should become its member.
Which user? Closely related, who acquires resources provided by
@code{seatd}? Just the greeter? A regular user logging in?
What access level is needed/provided? Read access? Write access?


Toggle quote (2 lines)
> + (group seatd-group (default "seat"))
> + (existing-group? seatd-existing-group? (default #f))
AFAIK this is not necessary. accounts-service-type can handle multiple
eq? groups, so as long as you're careful with what you put into group,
you shouldn't get an error.

Cheers
L
L
Ludovic Courtès wrote on 8 Aug 2022 10:58
(name . ()(address . paren@disroot.org)
87sfm7az76.fsf@gnu.org
Hi,

"(" <paren@disroot.org> skribis:

Toggle quote (12 lines)
> On Sat Aug 6, 2022 at 9:46 PM BST, Ludovic Courtès wrote:
>> I guess I’m missing some context: is this fixing a bug currently
>> present? (Apologies if this has been discussed elsewhere!)
>
> This is one of two patches that fix a problem where any greetd greeter
> more complex than agreety hangs on boot, basically rendering greetd
> useless. I think the underlying cause is their being unable to connect
> to seatd.sock?
>
> At least, that's the symptom I know about. I'm not sure whether there
> are others.

Is there a bug report, and do we have system tests for this
functionality?

I admit I know little about greetd and cases where it might be used.
Having system tests for that would help make sure the relevant
functionality works.

Thanks,
Ludo’.
(
(name . Ludovic Courtès)(address . ludo@gnu.org)
CM0J5LA0SDT1.29QEUPBP5V7JK@guix-aspire
On Mon Aug 8, 2022 at 9:58 AM BST, Ludovic Courtès wrote:
Toggle quote (3 lines)
> Is there a bug report, and do we have system tests for this
> functionality?

I don't believe there are system tests for greetd, no. There is
a bug report, though: https://issues.guix.gnu.org/56971.

Toggle quote (2 lines)
> I admit I know little about greetd and cases where it might be used.

As I understand it, greetd is a daemon that handles the sensitive parts
of display managers, which it calls 'greeters'. It allows you to write a
login program without having to write those difficult and sensitive parts
by simply writing a GUI that sends JSON messages to the socket when it
gets input.

So the problem is some greeters try to talk to seatd, but since they
don't have the right permissions, they bail out.

-- (
M
M
muradm wrote on 8 Aug 2022 20:50
(name . Liliana Marie Prikler)(address . liliana.prikler@ist.tugraz.at)
87mtcezhty.fsf@muradm.net
Liliana Marie Prikler <liliana.prikler@ist.tugraz.at> writes:

Toggle quote (10 lines)
> Am Sonntag, dem 07.08.2022 um 23:05 +0300 schrieb muradm:
>
>> * gnu/services/desktop.scm (seatd-service-type): Uses "seat"
>> group.
>> [extensions]: Added account-service-type with seatd-accounts.
>> (seatd-accounts): Conditionally produces list with "seat"
>> group.
>> (<seatd-configuration>):
>> [user] Drop user field, since it is not going to be used.
> Removed field.
done

Toggle quote (4 lines)
>> [group] Change default value to "seat".
>> [existing-group?] Add field which controls if group should be
>> created or not.
> Would be Added field, but see below.
obsolete

Toggle quote (8 lines)
>> * doc/guix.texi: Mention that users may need to become members
>> of
>> "seat" group and update default value for group field. Add
>> explanation on seatd.sock file. Remove dropped user field.
>
>> +When seat mamanagement is provided by @code{seatd}, users that
>> acquire
> management.
done

Toggle quote (9 lines)
>> +resources provided by @code{seatd} should have permissions to
>> access
>> +its UNIX domain socket. By default, @code{seatd-service-type}
>> provides
>> +``seat'' group. And user should become its member.
> Which user? Closely related, who acquires resources provided by
> @code{seatd}? Just the greeter? A regular user logging in?
> What access level is needed/provided? Read access? Write
> access?
While I understand what you are saying, for me user is fine, and I
can't come up with better description, as my eyes too blurred on
this subject. Anyway for now I specified it as "libseat user".

Toggle quote (7 lines)
>> + (group seatd-group (default "seat"))
>> + (existing-group? seatd-existing-group? (default #f))
> AFAIK this is not necessary. accounts-service-type can handle
> multiple
> eq? groups, so as long as you're careful with what you put into
> group,
> you shouldn't get an error.
ok field removed

Toggle quote (1 lines)
> Cheers
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEESPY5lma9A9l5HGLP6M7O0mLOBeIFAmLxW/kACgkQ6M7O0mLO
BeKKhxAA2g/jQGP0g6ZNMVS7IrCkcjy4rC28GaxL3z5ArkNkSVZBzmvjgTbar9vh
XLnd7wdP8MNC5wDbMGpXG/fbJhD7BMf1UKNrxnzDuXPwSf/1LQrWMd7JG+rOlNuJ
rMfV2OcHJPklUnJcsJ8ARCXOycETCID/onPpPiAWrjTEE1j3cC0bjn3oxW+weXko
DTl+lopWCL4zAc/izR29HgtaCP9nRnV2NXm/xX1RFzV+Wz/Xucla4HbNynbiH3HF
7h0iYuvsfBG2knTD05XVHTXHmZAYqRXei0sBL0IgDPiH85rNz6+TWUw4MfRsOtqh
8me1d3TAbd77k0PeIDQcO1vWaJ3Y8OfMKL+Ir59685ZvAHbyjN9hPp6t99+AMzq6
N9fXQ3rMl/80E+B+zEskLTgQqtpw1uv/37eseqEPyzSdK3gUsnLAjl1qsYel3ZBo
ONNEKRaRUq0i5BVlVrdNrfv6j5As/It8DK1U7g4qDi65oTZLjpZXyg87Ld3j5leg
ZhQZoEDV5GFzkNp5SZZk/IOmbV4AIgdELcSAfGBmUOxlImxhDqyS+AiXxlLtfVyp
0aWeHRCzt11GRaATVW+/3LzJpfC7U4cY9/XTkKlCceCXwy+iZKjIMfLPR4r2sVNO
udQMfNm7HPbu/fiFOWDb6GbcZJBMIMlFHgSMFQKLPH8FCYPaLC0=
=xTDN
-----END PGP SIGNATURE-----

M
M
muradm wrote on 8 Aug 2022 20:55
(name . Ludovic Courtès)(address . ludo@gnu.org)
87iln2zhh2.fsf@muradm.net
Ludovic Courtès <ludo@gnu.org> writes:

Toggle quote (23 lines)
> Hi,
>
> "(" <paren@disroot.org> skribis:
>
>> On Sat Aug 6, 2022 at 9:46 PM BST, Ludovic Courtès wrote:
>>> I guess I’m missing some context: is this fixing a bug
>>> currently
>>> present? (Apologies if this has been discussed elsewhere!)
>>
>> This is one of two patches that fix a problem where any greetd
>> greeter
>> more complex than agreety hangs on boot, basically rendering
>> greetd
>> useless. I think the underlying cause is their being unable to
>> connect
>> to seatd.sock?
>>
>> At least, that's the symptom I know about. I'm not sure whether
>> there
>> are others.
>
> Is there a bug report, and do we have system tests for this
> functionality?
Problem started with conversation on guix-devel, and related
commit.
Last message of thread:

I was travelling and missed that change, when I
"guix pull && guix system reconfigure"ed at home and realized the
problem, I submitted fixes in the form of two patches 56690 and
56699.

Then I was asked to open a bug report in guix-devel list, which
is:

Toggle quote (5 lines)
>
> I admit I know little about greetd and cases where it might be
> used.
> Having system tests for that would help make sure the relevant
> functionality works.
There is:

make check-system TESTS="minimal-desktop"

Patches in 56690 and 56699 now include the tests for this case as
well.

Toggle quote (3 lines)
>
> Thanks,
> Ludo’.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEESPY5lma9A9l5HGLP6M7O0mLOBeIFAmLxXckACgkQ6M7O0mLO
BeJisBAAxVchoPicRIzt+tQsWTIO1ztbUrD+C15ERnTQDy9ijV8j7a3fxuAJVpul
77m0qaPXkFopaLV/Pn8SfMQMxTZZGLJTawo/j7xcZx55FRKxcX+/yrSkb/sjMcIZ
wLej/tQ+F1zVGb66GKXOF6LSeP2iXMEbFXKU24GrfhepRPu8qqIsgvn2diJ9KMay
HwMU5G1NbwkcBR9cXPbbI6h0fQcRGb/SFnhsMMxntuPXVOeT3vpcjRF5uhg0IQVE
X6uKN+peZUw4rKlvL4RYoqw1jjzwrYokERaujPzv4TDuNd+PmwjQTHc6Pt1jH+95
ekrQIroEsysThgXQ98YAW9HJ7r9XVh3T70hwb5XeqzexC+jkHOarrFwVoscsUB07
CyHSoBmAaZ6R3MfhWkSz1yq1wrJqkiedrGqkvGlBPu44IMDX8Bfgk+U2K7e4BWUn
hNdEUz7PTeAdq9eWfFZa5y9yPyb6SBn8RpnGsx0UvX0qvA+GuU9hksz2QycLEHgh
vMcUo9rmciyFogNJAga9jMDZ5MYgxLSGqcjBbjlT3iKQjfp2m0eGr5l9juNot9tW
T521vtq2/q2fDdqOHQuSZSsxTnik1IOFnTRQSiPb/0TklKqhDCbYta04rY+UG2cg
wk+KJGyuUJ+n9p02pNVf18X9SK7S3ILMMbiLULYfWl9+ypqiEag=
=22gz
-----END PGP SIGNATURE-----

M
M
muradm wrote on 8 Aug 2022 21:44
(name . ()(address . paren@disroot.org)
87a68ezfa4.fsf@muradm.net
"(" <paren@disroot.org> writes:

Toggle quote (19 lines)
> On Mon Aug 8, 2022 at 9:58 AM BST, Ludovic Courtès wrote:
>> Is there a bug report, and do we have system tests for this
>> functionality?
>
> I don't believe there are system tests for greetd, no. There is
> a bug report, though: <https://issues.guix.gnu.org/56971>.
>
>> I admit I know little about greetd and cases where it might be
>> used.
>
> As I understand it, greetd is a daemon that handles the
> sensitive parts
> of display managers, which it calls 'greeters'. It allows you to
> write a
> login program without having to write those difficult and
> sensitive parts
> by simply writing a GUI that sends JSON messages to the socket
> when it
> gets input.
For greetd/greeter this is fine explanation.

Toggle quote (3 lines)
> So the problem is some greeters try to talk to seatd, but since
> they
> don't have the right permissions, they bail out.
To be more correct here, greeter that requires both talking to
greetd
and talking to seatd via libseat. Suppose gtkgreet which is
running
with sway. So greetd will start greeter which is
"sway -c config-which-starts-gtkgreet.conf". Now you have two
processes
in the scope of greeter, one is sway which has to talk to swatd
via
libseat and the other is gtkgreet which is going to talk with
greetd.

The one who bails out is sway here due to lack of permissions for
seatd.sock for talking to seatd via libseat.

Toggle quote (2 lines)
>
> -- (
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEESPY5lma9A9l5HGLP6M7O0mLOBeIFAmLxaOMACgkQ6M7O0mLO
BeK4Lg//Rz4oTQ01j4iaHGnganLNuywDRt9uvtVf0hol9/ZGv1fkDlyVBne20K0E
/YNHfEReGBm7RVbVQzXiyb2++xtUZba0UgbYRTMj5IxTDWnKWxznhkDEbkcpuqG4
Q5Z/NClDLOMjZAIFsP43tgdYkAU9f4K9RAOiQ+9W5ZWi0y/+8P5wlVwu3WmAsirS
ZEpGRaFp4qV/fg5l1+NlmItjVe2ud9hl/FIJJeqt9SmmFPQQ/IFORR8sZpCdAZtx
gkVcp+zG6kqQDhIfqIvSif0tsTxISXoDGxBk2XLVAgTNVNbhZA2bdJmF/DWFOdLw
z7lh7lk1UpUtOidSDLbAzmxnfxPKCeEk59tiO1RT2SuLM/2YXHXhRQ4p4+pM4Pux
AMtkZNvzJawCNzUfsB5dmnr4fTTfndqSErcZ9t+5a7kcGHgFQImW4IHlXYC82Qs0
HPy6ZvqSZ4qDKL/+sWkylh/3yHsmakppKipLa1qkDrOk42GEb9CA1uSPzey9pWc+
lWHc4a7ZyMBkpjdqjir96ylJphcUTc7weL+yOWq4RfrrX+cWZt9T3p3uRIqR3LrO
IUVUw1+4YWPSd3nC6AfhWMRQoKgRI2dUR5FasfiYBhPBJpqc4ASir+LkX6AoTA13
77KIC9YDJDRBCAGanU1s52kE7BrQexsw73KBrmRMBEgwfd20aGg=
=bMO9
-----END PGP SIGNATURE-----

L
L
Liliana Marie Prikler wrote on 9 Aug 2022 08:57
(name . muradm)(address . mail@muradm.net)
063eee23b1ff1b0f288d5e465aa5bac1862c9bb8.camel@ist.tugraz.at
Am Montag, dem 08.08.2022 um 21:50 +0300 schrieb muradm:
Toggle quote (7 lines)
> > Which user?  Closely related, who acquires resources provided by
> > @code{seatd}?  Just the greeter?  A regular user logging in?
> > What access level is needed/provided?  Read access?  Write
> > access?
> While I understand what you are saying, for me user is fine, and I
> can't come up with better description, as my eyes too blurred on
> this subject. Anyway for now I specified it as "libseat user".
I don't think this really aids us here – it instead lets us ask who is
a "libseat user". Perhaps you want to specify "login managers" like
greetd or gdm/sddm/etc. explicitly here? Also, (when) do regular users
have to be in the seat group?

Toggle quote (6 lines)
> > > +  (group seatd-group (default "seat"))
> > > +  (existing-group? seatd-existing-group? (default #f))
> > AFAIK this is not necessary.  accounts-service-type can handle
> > multiple eq? groups, so as long as you're careful with what you put
> > into group, you shouldn't get an error.
> ok field removed
Note ‘eq?’ groups here. In other words, you should be able to take a
group (not just a group name) for the group field, sanitize the field
so that it will always be a group, and then use that group in seatd-
accounts (see the second option mentioned in
<79341a82bf9cd5fc6c2227255095f3fe2927dcbe.camel@ist.tugraz.at>). If
for instance instead of seat, you wanted the video group, you would
have to take the one from %base-groups, rather than creating a new one.

Cheers
M
M
muradm wrote on 9 Aug 2022 21:47
(name . Liliana Marie Prikler)(address . liliana.prikler@ist.tugraz.at)
87y1vxxjrt.fsf@muradm.net
Liliana Marie Prikler <liliana.prikler@ist.tugraz.at> writes:

Toggle quote (18 lines)
> Am Montag, dem 08.08.2022 um 21:50 +0300 schrieb muradm:
>> > Which user?  Closely related, who acquires resources provided
>> > by
>> > @code{seatd}?  Just the greeter?  A regular user logging in?
>> > What access level is needed/provided?  Read access?  Write
>> > access?
>> While I understand what you are saying, for me user is fine,
>> and I
>> can't come up with better description, as my eyes too blurred
>> on
>> this subject. Anyway for now I specified it as "libseat user".
> I don't think this really aids us here – it instead lets us ask
> who is
> a "libseat user". Perhaps you want to specify "login managers"
> like
> greetd or gdm/sddm/etc. explicitly here? Also, (when) do
> regular users
> have to be in the seat group?
There is no such specification as login manager or what ever. User
is
any one/thing acquiring resources via seat management. It is
perfectly
fine to run mingetty, login into bash and from command line start
sway
that will use libseat to acquire video for instance. Who is user
here?

There is also no display manager as it was before. Please see my
explanation to unmatched-paren:
What is sway in this usecase, it is not a user (like you or me),
it is not a display manager (as gdm, sddm etc.). It is just
application requiring video card (not only) resource, which
it instead of having exclusive root access, uses libseat to
acquire it in "seat managy" way. And greetd does/should not
care about seatd/libseat until it is not required to acquire
resources in "seat managy" way. Instead it is a greeter which
is totatly customizable, could be even a bash script or small
suckless-like application or else.

This is the point of seatd I suppose, to do one thing only
without enforcing on who should do what.

Thus, none of your proposals are suitable, and I can't come up
with something better than "seat management user" or "libseat
user". However in my opinion, the one who commits into such
setup, should be aware of what is seatd libseat and how, why to
interact with it.

Toggle quote (21 lines)
>> > > +  (group seatd-group (default "seat"))
>> > > +  (existing-group? seatd-existing-group? (default #f))
>> > AFAIK this is not necessary.  accounts-service-type can
>> > handle
>> > multiple eq? groups, so as long as you're careful with what
>> > you put
>> > into group, you shouldn't get an error.
>> ok field removed
> Note ‘eq?’ groups here. In other words, you should be able to
> take a
> group (not just a group name) for the group field, sanitize the
> field
> so that it will always be a group, and then use that group in
> seatd-
> accounts (see the second option mentioned in
> <79341a82bf9cd5fc6c2227255095f3fe2927dcbe.camel@ist.tugraz.at>).
> If
> for instance instead of seat, you wanted the video group, you
> would
> have to take the one from %base-groups, rather than creating a
> new one.
Sorry, but I'm not so proficient in english as you. I can only
speculate on what is written here. And that reference does not
say anything to me, even duck duck go gives single result, it is
your message. Could you please be more specific here, and/or
provide more useful hyperlink style references. Thanks in advance.

Toggle quote (1 lines)
> Cheers
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEESPY5lma9A9l5HGLP6M7O0mLOBeIFAmLyvqcACgkQ6M7O0mLO
BeJ33g//Y3p0ZZS5LeyPn/fYrNpYGcWSTHDNLE62062nTAagyfHTsF9fLUeh+F82
9oBhWMQ0KZKCwJaPpPP8UrG+Rx1PRMOFsHBtP4x0ynO8TsFy4BH9Aq54oPpIZqdT
XSpiLZg2g2EN+G6qOpxP57sdtm5mTMkEA6+0NOLPQnHLMP5Jq8bjTTqeFcuyWeg7
n4HG1twfWGGlE65oWgWysWGUCIcU2ihclCibvaL+Ro2e6kKMVRsDiCNSGn/RHcRK
l3ewd67f+Jlwc62HNyC71tQojdkTM2zODhBl6+XlM0DcklVMcxtpMrIMhWa5KT/3
Rq8gB06RiiFMJJebB2f/deqNYNxwS272sa4tgq5wE9j+Vtkdjj1U2sLJMvXri8da
hGkHjEcN1eBrM8lOBAS1juxESuM2EE7rZ+2SVZF2TemlxIRt3R8kzkfjs/A9+Ep3
LFGB1UKsZcozMoeCT3a4qk/O3XluooTH/+/cEX2vVqyU5mavzCKD1YfjyFWkWJfn
K2EHRk2G9f41qpVddcQRGcbHUqjwUyTCaaMp8sXRUbYUQlPyvGM5BFQskk6ceXzm
UygW+Q4sdtfEXhgDCuEYTbu1GdWXZKuMjvFq3cATGHqvIMpWMZmCCfKIZ+xJMCO3
UwtsLnFxURrxZjsfljQhCGLviKQy+bZr5VNZHqJNd/KJRW/zJNA=
=NHrW
-----END PGP SIGNATURE-----

L
L
Liliana Marie Prikler wrote on 10 Aug 2022 10:07
(name . muradm)(address . mail@muradm.net)
feefa8add73babb6fb99636e1e676b1eae309c89.camel@ist.tugraz.at
Am Dienstag, dem 09.08.2022 um 22:47 +0300 schrieb muradm:
Toggle quote (27 lines)
> There is no such specification as login manager or what ever. User
> is any one/thing acquiring resources via seat management. It is
> perfectly fine to run mingetty, login into bash and from command line
> start sway that will use libseat to acquire video for instance. Who is
> user here?
>
> There is also no display manager as it was before. Please see my
> explanation to unmatched-paren:
> https://debbugs.gnu.org/cgi/bugreport.cgi?msg=46;bug=56690
> What is sway in this usecase, it is not a user (like you or me),
> it is not a display manager (as gdm, sddm etc.). It is just
> application requiring video card (not only) resource, which
> it instead of having exclusive root access, uses libseat to
> acquire it in "seat managy" way. And greetd does/should not
> care about seatd/libseat until it is not required to acquire
> resources in "seat managy" way. Instead it is a greeter which
> is totatly customizable, could be even a bash script or small
> suckless-like application or else.
>
> This is the point of seatd I suppose, to do one thing only
> without enforcing on who should do what.
>
> Thus, none of your proposals are suitable, and I can't come up
> with something better than "seat management user" or "libseat
> user". However in my opinion, the one who commits into such
> setup, should be aware of what is seatd libseat and how, why to
> interact with it.
I think you're mixing user and application here, which makes explaining
this to others difficult. For instance, GDM is both an application
(display manager) and a user launching this application. Likewise for
most other display managers. Thus, there is a 1:1 mapping between
users and applications.

With seatd, from what I understand, there is no such mapping. However,
given your description, the following is unclear: Does alice need to be
in the seat group to run bash? To run sway? To run sway *only if not
having talked to greetd first*?

Toggle quote (26 lines)
> > > > > +  (group seatd-group (default "seat"))
> > > > > +  (existing-group? seatd-existing-group? (default #f))
> > > > AFAIK this is not necessary.  accounts-service-type can
> > > > handle
> > > > multiple eq? groups, so as long as you're careful with what
> > > > you put
> > > > into group, you shouldn't get an error.
> > > ok field removed
> > Note ‘eq?’ groups here.  In other words, you should be able to
> > take a
> > group (not just a group name) for the group field, sanitize the
> > field
> > so that it will always be a group, and then use that group in
> > seatd-
> > accounts (see the second option mentioned in
> > <79341a82bf9cd5fc6c2227255095f3fe2927dcbe.camel@ist.tugraz.at>).
> > If
> > for instance instead of seat, you wanted the video group, you
> > would
> > have to take the one from %base-groups, rather than creating a
> > new one.
> Sorry, but I'm not so proficient in english as you. I can only
> speculate on what is written here. And that reference does not
> say anything to me, even duck duck go gives single result, it is
> your message. Could you please be more specific here, and/or
> provide more useful hyperlink style references. Thanks in advance.
I'll explain it in terms of lisp:

(define seat1 (user-group (name "seat") (system #t))
(define seat2 (user-group (name "seat") (system #t))
(operating-system (groups (list seat1 seat1))) ; works, eq?
(operating-system (groups (list seat2 seat2))) ; works, eq?
(operating-system (groups (list seat1 seat2))) ; doesn't work

For field sanitizers, see define-record-type*.

Cheers
M
M
muradm wrote on 13 Aug 2022 19:39
(name . Liliana Marie Prikler)(address . liliana.prikler@ist.tugraz.at)
87mtc8112x.fsf@muradm.net
Liliana Marie Prikler <liliana.prikler@ist.tugraz.at> writes:

Toggle quote (42 lines)
> Am Dienstag, dem 09.08.2022 um 22:47 +0300 schrieb muradm:
>> There is no such specification as login manager or what ever.
>> User
>> is any one/thing acquiring resources via seat management. It is
>> perfectly fine to run mingetty, login into bash and from
>> command line
>> start sway that will use libseat to acquire video for instance.
>> Who is
>> user here?
>>
>> There is also no display manager as it was before. Please see
>> my
>> explanation to unmatched-paren:
>> https://debbugs.gnu.org/cgi/bugreport.cgi?msg=46;bug=56690
>> What is sway in this usecase, it is not a user (like you or
>> me),
>> it is not a display manager (as gdm, sddm etc.). It is just
>> application requiring video card (not only) resource, which
>> it instead of having exclusive root access, uses libseat to
>> acquire it in "seat managy" way. And greetd does/should not
>> care about seatd/libseat until it is not required to acquire
>> resources in "seat managy" way. Instead it is a greeter which
>> is totatly customizable, could be even a bash script or small
>> suckless-like application or else.
>>
>> This is the point of seatd I suppose, to do one thing only
>> without enforcing on who should do what.
>>
>> Thus, none of your proposals are suitable, and I can't come up
>> with something better than "seat management user" or "libseat
>> user". However in my opinion, the one who commits into such
>> setup, should be aware of what is seatd libseat and how, why to
>> interact with it.
> I think you're mixing user and application here, which makes
> explaining
> this to others difficult. For instance, GDM is both an
> application
> (display manager) and a user launching this application.
> Likewise for
> most other display managers. Thus, there is a 1:1 mapping
> between
> users and applications.
I don't think that I miss, instead I intend to generalize as much
as possible. I suppose it is better to say, seat management can be
used by anyone or anything where greeter would be an example of
anything, and logged in user an example of anyone.

Toggle quote (4 lines)
> With seatd, from what I understand, there is no such mapping.
> However,
> given your description, the following is unclear:
> Does alice need to be in the seat group to run bash?
Alice needs to be in seat group if any application and/or
script is going to be using libseat for acquiring resources in
"seat managy" way, in order to have access to seatd.sock.

Toggle quote (1 lines)
> To run sway?
Since sway is aciqyuring resources using libseat in "seat managy"
way, then Alice will have to be in seat group to access
seatd.sock.

Toggle quote (1 lines)
> To run sway *only if not having talked to greetd first*?
greetd is unrelated here, as greetd by it self is not acquiring
resources in "seat managy" way. Currently no greeter for greetd
also talks via libseat to seatd _directly_. But special case of
gtkgreet which requires wayland compositor, which is sway, creates
indirect relation of "seat managy" resources acquisiion using
libseat. This indirect relation requiring user of greeter to be
a member of seat group.

Toggle quote (41 lines)
>> > > > > +  (group seatd-group (default "seat"))
>> > > > > +  (existing-group? seatd-existing-group? (default #f))
>> > > > AFAIK this is not necessary.  accounts-service-type can
>> > > > handle
>> > > > multiple eq? groups, so as long as you're careful with
>> > > > what
>> > > > you put
>> > > > into group, you shouldn't get an error.
>> > > ok field removed
>> > Note ‘eq?’ groups here.  In other words, you should be able
>> > to
>> > take a
>> > group (not just a group name) for the group field, sanitize
>> > the
>> > field
>> > so that it will always be a group, and then use that group in
>> > seatd-
>> > accounts (see the second option mentioned in
>> > <79341a82bf9cd5fc6c2227255095f3fe2927dcbe.camel@ist.tugraz.at>).
>> > If
>> > for instance instead of seat, you wanted the video group, you
>> > would
>> > have to take the one from %base-groups, rather than creating
>> > a
>> > new one.
>> Sorry, but I'm not so proficient in english as you. I can only
>> speculate on what is written here. And that reference does not
>> say anything to me, even duck duck go gives single result, it
>> is
>> your message. Could you please be more specific here, and/or
>> provide more useful hyperlink style references. Thanks in
>> advance.
> I'll explain it in terms of lisp:
>
> (define seat1 (user-group (name "seat") (system #t))
> (define seat2 (user-group (name "seat") (system #t))
> (operating-system (groups (list seat1 seat1))) ; works, eq?
> (operating-system (groups (list seat2 seat2))) ; works, eq?
> (operating-system (groups (list seat1 seat2))) ; doesn't work
>
> For field sanitizers, see define-record-type*.
I know how eq? works. I don't understand what do you want me to
do with service configuration.

Toggle quote (1 lines)
> Cheers
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEESPY5lma9A9l5HGLP6M7O0mLOBeIFAmL35UYACgkQ6M7O0mLO
BeJyKBAAxDyzpy8EXgNr8H8wYP6nCg5pvT/+KXEu3EnARDuDo1RYvU1r4X42OsTq
CGMY2IcwXNOox2Z8f8lWE/ljV9FaBvFLXy9kGrOVaBYhE6PM1DWeAjHS2i4EiOru
a1gZn/CPSi/6LiEah0PRIigySJSK9nky6Rt+5iveQPAy7qx9lp0hJklH2tso7/Yn
Xu8Q8lxDkLFw7yixNiISBjOsU7xkT40lHU/4vY5wM0KmXj8sClRZAmRcPb32SdgX
9Vv04bQI3S98TEflYUxl84L+aGjwk4NTMmThflUHOG1/+ql9xY+7nS0J1sYIsCns
Qr2F6ar9cB6QpEkH3t1cAlAX//azz7mMVhzBaBsvS1nG7L6woL558/wmYLgDmqNd
dQ/r86lvd2o30qKT2bnF3sgpaWGCnEbL9m/CJfJ286kH2xlqpBQeMW9t/h3+q+UV
89cNYjDyJbpVuG+zzhRu8MeJm4+Ae1hxUyS9do4uId8WC18mvwzNo7Z6YjOOwcVA
QeC7Jh7hF1Smd+TiisqaXZd6Eb7vOvO4eFCiQ3uaHP4kCoYGl6JQj5sRZroeIVMl
84Hq+lW9V2AWZ84kR+h4NW00Udtg0RM+xDuAti75/FV1tz1OuWvdT0pR+RKizsgW
yHZSoDwIkG1e9MtFpJzSp2NoBdT76tiDBTYQf4l5HrTlgC1gbNE=
=xhn8
-----END PGP SIGNATURE-----

M
M
muradm wrote on 22 Aug 2022 22:17
(name . Liliana Marie Prikler)(address . liliana.prikler@ist.tugraz.at)
8735doyqs4.fsf@muradm.net
Now accepts either string or user-group as group.
Liliana Marie Prikler <liliana.prikler@ist.tugraz.at> writes:

Toggle quote (94 lines)
> Am Dienstag, dem 09.08.2022 um 22:47 +0300 schrieb muradm:
>> There is no such specification as login manager or what ever.
>> User
>> is any one/thing acquiring resources via seat management. It is
>> perfectly fine to run mingetty, login into bash and from
>> command line
>> start sway that will use libseat to acquire video for instance.
>> Who is
>> user here?
>>
>> There is also no display manager as it was before. Please see
>> my
>> explanation to unmatched-paren:
>> https://debbugs.gnu.org/cgi/bugreport.cgi?msg=46;bug=56690
>> What is sway in this usecase, it is not a user (like you or
>> me),
>> it is not a display manager (as gdm, sddm etc.). It is just
>> application requiring video card (not only) resource, which
>> it instead of having exclusive root access, uses libseat to
>> acquire it in "seat managy" way. And greetd does/should not
>> care about seatd/libseat until it is not required to acquire
>> resources in "seat managy" way. Instead it is a greeter which
>> is totatly customizable, could be even a bash script or small
>> suckless-like application or else.
>>
>> This is the point of seatd I suppose, to do one thing only
>> without enforcing on who should do what.
>>
>> Thus, none of your proposals are suitable, and I can't come up
>> with something better than "seat management user" or "libseat
>> user". However in my opinion, the one who commits into such
>> setup, should be aware of what is seatd libseat and how, why to
>> interact with it.
> I think you're mixing user and application here, which makes
> explaining
> this to others difficult. For instance, GDM is both an
> application
> (display manager) and a user launching this application.
> Likewise for
> most other display managers. Thus, there is a 1:1 mapping
> between
> users and applications.
>
> With seatd, from what I understand, there is no such mapping.
> However,
> given your description, the following is unclear: Does alice
> need to be
> in the seat group to run bash? To run sway? To run sway *only
> if not
> having talked to greetd first*?
>
>> > > > > +  (group seatd-group (default "seat"))
>> > > > > +  (existing-group? seatd-existing-group? (default #f))
>> > > > AFAIK this is not necessary.  accounts-service-type can
>> > > > handle
>> > > > multiple eq? groups, so as long as you're careful with
>> > > > what
>> > > > you put
>> > > > into group, you shouldn't get an error.
>> > > ok field removed
>> > Note ‘eq?’ groups here.  In other words, you should be able
>> > to
>> > take a
>> > group (not just a group name) for the group field, sanitize
>> > the
>> > field
>> > so that it will always be a group, and then use that group in
>> > seatd-
>> > accounts (see the second option mentioned in
>> > <79341a82bf9cd5fc6c2227255095f3fe2927dcbe.camel@ist.tugraz.at>).
>> > If
>> > for instance instead of seat, you wanted the video group, you
>> > would
>> > have to take the one from %base-groups, rather than creating
>> > a
>> > new one.
>> Sorry, but I'm not so proficient in english as you. I can only
>> speculate on what is written here. And that reference does not
>> say anything to me, even duck duck go gives single result, it
>> is
>> your message. Could you please be more specific here, and/or
>> provide more useful hyperlink style references. Thanks in
>> advance.
> I'll explain it in terms of lisp:
>
> (define seat1 (user-group (name "seat") (system #t))
> (define seat2 (user-group (name "seat") (system #t))
> (operating-system (groups (list seat1 seat1))) ; works, eq?
> (operating-system (groups (list seat2 seat2))) ; works, eq?
> (operating-system (groups (list seat1 seat2))) ; doesn't work
>
> For field sanitizers, see define-record-type*.
>
> Cheers
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEESPY5lma9A9l5HGLP6M7O0mLOBeIFAmMD5OwACgkQ6M7O0mLO
BeJCZRAAy+3g+TbyRGrN4uye0rl02lM7LaF58NkuZMgXX8P9hK1NJWHMMtnoDQmp
FuzMBeugzclLZ1mlE32RiMJ2ja/NC2/2kLrhY1hmWUAtblTh/kjn8YvLkkRkIKGl
vqltcS9WCriT2KkJdRFOzzTcBR61CdQ1yi3OR3+7N5OQR/AC55NQvOz/qSbJgZNh
oJEvTOKJibkoYt/E95+vj7xIZySBzqnmLRCoCSsZ52cuanILJAlCakKrwV8qmkbk
GyYshxnO2qC8YwGmcJtBAaN53/cKiJxAlUj62tKSez39UdWwymB5oNUVyqEz86S+
49ilk8gBOAUIUAmJBxufRFqH4MwMXiIGbsiesOc+C/lVpvocd/kiV2HehiZkrRAm
gx4mce7zmPkkTabK8vkyoyEt5GSjhBQol73qFpKTtB4nQ41YyRfug6glVQriUznj
KinsCG7+pjuouI83Fv6NlP7MHoGZ4DbvPqnyWy3OQTxJg3LrvHviz+Jn0W6bHq2N
V0CXzWAnMx2EdxUwbTiuVjc6YqKd9mCpifKXszp4tW1BKhUkuame1EGIVCaI35Wu
sP0vszCoWfCJr6YFzbNruqbs8aI/V4UDMJQdezzP8jIPACRTfpMhZuS9cMevnNvI
uOo9hlE8FQ2Pr8deiJhHyODXepPhVCjfmhyUK/CcE0uRu7BnHak=
=Tn6q
-----END PGP SIGNATURE-----

L
L
Liliana Marie Prikler wrote on 26 Aug 2022 19:06
Re: greeter user permissions are not enough to talk with seatd
(name . muradm)(address . mail@muradm.net)
400cf1fed0d340398da6e2e0e32bebdb8fd842ef.camel@gmail.com
Am Donnerstag, dem 04.08.2022 um 12:45 +0300 schrieb muradm:
Toggle quote (5 lines)
> * 56690 - gnu: seatd-service-type: Should use seat group.
> With this change, if seatd-service-type is present in the
> system configuration, "seat" group will be added, and seatd
> will run as root/seat. Group is configurable, but default is
> "seat".
I made it so that by default the sanitizer is used to turn the string
"seat" into a group and used (ice-9 match), reducing some needless
redundancy. I also reworded the manual to the best of my ability
following our conversations and adapted the commit message.

Toggle quote (5 lines)
> * 56699 - gnu: greetd-service-type: Add greeter-extra-groups
>   config field.
> With this change, if user wants to use seatd-service-type with
> greeter requiring seatd.sock, he can add "seat" group to
> greeter-extra-groups field.
I fixed some minor issue in the manual and reindented the marionette-
type in the tests, also reworded the commit message.

I didn't get the chance to run the system tests – some timeout causes
the marionette build to fail on my machine – but I verified
independently that at least the seatd socket has the right permissions.
I hope this will be enough for you to get gtkgreet running.

Cheers
Closed
?
Your comment

This issue is archived.

To comment on this conversation send an email to 56690@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 56690
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch