On Mon, Aug 26, 2019 at 05:41:15PM +0200, Armin K. via blfs-dev wrote: > > You seem to be missing one important piece of software in this > discussion, and that's the one and only device manager, the (E)Udev. > (E)Udev is responsible for "tagging" a device that can be accessed > through a seat that is managed by (E)logind. > > What I'd suggest for you Ken, is to verify the existence of the > following (E)Udev rules on your system: > > https://github.com/systemd/systemd/blob/master/src/login/70-uaccess.rules.m4 >
the only match for 'input' is # joysticks SUBSYSTEM=="input", ENV{ID_INPUT_JOYSTICK}=="?*", TAG+="uaccess" But according to https://unix.stackexchange.com/questions/467382/udev-uaccess-and-hid Access is granted and revoked to open file descriptors, instead of the device node. And there is a link to https://dvdhrm.wordpress.com/2013/08/25/sane-session-switching/ > https://github.com/systemd/systemd/blob/master/src/login/71-seat.rules.in > This looks more hopeful SUBSYSTEM=="input", KERNEL=="input*", TAG+="seat" I guess that should be what controls this. > https://github.com/systemd/systemd/blob/master/src/login/73-seat-late.rules.m4 > And that rules file exists. > Your (E)udev needs to be built with ACL support, as the access to the > tagged nodes is granted through access controls. You can verify if your > user has correct access on the nodes with "getfacl /dev/input/event0" > for example. > > This way, no old-fashined group membership is required for audio, video, > cdrom, input, etc groups - if you have a local seat you have access to > these nodes, and they are granted using access controls by udev itself. > On my systems with elogind, nothing - getfacl: Removing leading '/' from absolute path names # file: dev/input/event0 # owner: root # group: input user::rw- group::rw- other::--- And after the noise when changing to a different tty I did set the following in my kernels: CONFIG_TMPFS_POSIX_ACL=y which also enabled CONFIG_TMPFS_XATTR=y The log from my build of eudev has no mention of acl or ACL. > Kind regards. Thanks. I'm convinced there is probably something simple and trivial missing. Will look at the google results for elogind seat access not working Hmm, the many pages turned out to be far fewer as I dug down. https://github.com/elogind/elogind/issues/61 Running X on tty1 with myself in the input group ind switching to tty2 to run loginctl shows SESSION UID USER SEAT TTY c1 1000 ken seat0 tty1 c2 1000 ken seat0 tty2 2 sessions listed. Hmm, following on from that I looked at the linked /etc/pam.d/system-auth: # This file is part of elogind. auth sufficient pam_unix.so nullok try_first_pass account required pam_nologin.so account sufficient pam_unix.so password sufficient pam_unix.so nullok sha512 shadow try_first_pass try_authtok -session optional pam_loginuid.so -session optional pam_elogind.so session sufficient pam_unix.so I'm not quite sure why the two optional lines there start with '-' (it's a file, not a diff). My own is (hopefully) the same as in BLFS ?, without any mention of pam_elogind.so which is instead in /etc/pam.d/elogind-user # Begin /etc/pam.d/system-auth auth required pam_unix.so # End /etc/pam.d/system-auth and # Begin /etc/pam.d/elogind-user account required pam_access.so account include system-account session required pam_env.so session required pam_limits.so session required pam_unix.so session required pam_loginuid.so session optional pam_keyinit.so force revoke session optional pam_elogind.so auth required pam_deny.so password required pam_deny.so # End /etc/pam.d/elogind-user ĸen -- Adopted by dwarfs, brought up by dwarfs. To dwarfs I'm a dwarf, sir. I can do the rite of k'zakra, I know the secrets of h'ragna, I can ha'lk my g'rakha correctly ... I am a dwarf Captain Carrot Ironfoundersson (in The Fifth Elephant) -- http://lists.linuxfromscratch.org/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page