On Mon, Aug 26, 2019 at 05:41:15PM +0200, Armin K. via blfs-dev wrote:
>
> You seem to be missing one important piece of software in this
> discussion, and that's the one and only device manager, the (E)Udev.
> (E)Udev is responsible for "tagging" a device that can be accessed
> through a seat that is managed by (E)logind.
>
> What I'd suggest for you Ken, is to verify the existence of the
> following (E)Udev rules on your system:
>
> https://github.com/systemd/systemd/blob/master/src/login/70-uaccess.rules.m4
>
the only match for 'input' is
# joysticks
SUBSYSTEM=="input", ENV{ID_INPUT_JOYSTICK}=="?*", TAG+="uaccess"
But according to
https://unix.stackexchange.com/questions/467382/udev-uaccess-and-hid
Access is granted and revoked to open file descriptors, instead of
the device node.
And there is a link to
https://dvdhrm.wordpress.com/2013/08/25/sane-session-switching/
> https://github.com/systemd/systemd/blob/master/src/login/71-seat.rules.in
>
This looks more hopeful
SUBSYSTEM=="input", KERNEL=="input*", TAG+="seat"
I guess that should be what controls this.
> https://github.com/systemd/systemd/blob/master/src/login/73-seat-late.rules.m4
>
And that rules file exists.
> Your (E)udev needs to be built with ACL support, as the access to the
> tagged nodes is granted through access controls. You can verify if your
> user has correct access on the nodes with "getfacl /dev/input/event0"
> for example.
>
> This way, no old-fashined group membership is required for audio, video,
> cdrom, input, etc groups - if you have a local seat you have access to
> these nodes, and they are granted using access controls by udev itself.
>
On my systems with elogind, nothing -
getfacl: Removing leading '/' from absolute path names
# file: dev/input/event0
# owner: root
# group: input
user::rw-
group::rw-
other::---
And after the noise when changing to a different tty I did set the
following in my kernels:
CONFIG_TMPFS_POSIX_ACL=y
which also enabled
CONFIG_TMPFS_XATTR=y
The log from my build of eudev has no mention of acl or ACL.
> Kind regards.
Thanks. I'm convinced there is probably something simple and
trivial missing. Will look at the google results for
elogind seat access not working
Hmm, the many pages turned out to be far fewer as I dug down.
https://github.com/elogind/elogind/issues/61
Running X on tty1 with myself in the input group ind switching to
tty2 to run loginctl shows
SESSION UID USER SEAT TTY
c1 1000 ken seat0 tty1
c2 1000 ken seat0 tty2
2 sessions listed.
Hmm, following on from that I looked at the linked
/etc/pam.d/system-auth:
# This file is part of elogind.
auth sufficient pam_unix.so nullok try_first_pass
account required pam_nologin.so
account sufficient pam_unix.so
password sufficient pam_unix.so nullok sha512 shadow try_first_pass try_authtok
-session optional pam_loginuid.so
-session optional pam_elogind.so
session sufficient pam_unix.so
I'm not quite sure why the two optional lines there start with '-'
(it's a file, not a diff).
My own is (hopefully) the same as in BLFS ?, without any mention of
pam_elogind.so which is instead in /etc/pam.d/elogind-user
# Begin /etc/pam.d/system-auth
auth required pam_unix.so
# End /etc/pam.d/system-auth
and
# Begin /etc/pam.d/elogind-user
account required pam_access.so
account include system-account
session required pam_env.so
session required pam_limits.so
session required pam_unix.so
session required pam_loginuid.so
session optional pam_keyinit.so force revoke
session optional pam_elogind.so
auth required pam_deny.so
password required pam_deny.so
# End /etc/pam.d/elogind-user
ĸen
--
Adopted by dwarfs, brought up by dwarfs. To dwarfs I'm a dwarf, sir.
I can do the rite of k'zakra, I know the secrets of h'ragna, I can
ha'lk my g'rakha correctly ... I am a dwarf
Captain Carrot Ironfoundersson (in The Fifth Elephant)
--
http://lists.linuxfromscratch.org/listinfo/blfs-dev
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
