Re: Why is greetd greeter user in so many groups?
Hi, Here you are: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=56971 I added explanations and proposed solution there as well. Thanks in advance, muradm Ludovic Courtès writes: Hi, muradm skribis: This change broke greetd on my side as I am using it with gtkgreet. Could you open an issue so we keep track of this? While greetd is running as root, specific greeter started by it is not. This many groups was required to: - make it able starting graphical greeters with user greeter - access to seatd's socket file That sounds surprising to me. If other distros don’t do that, there must be something we’re missing? Anyway, let’s see how to move forward. Thanks, Ludo’. signature.asc Description: PGP signature
Re: Why is greetd greeter user in so many groups?
Hi, muradm skribis: > This change broke greetd on my side as I am using it with gtkgreet. Could you open an issue so we keep track of this? > While greetd is running as root, specific greeter started by it is > not. > > This many groups was required to: > - make it able starting graphical greeters with user greeter > - access to seatd's socket file That sounds surprising to me. If other distros don’t do that, there must be something we’re missing? Anyway, let’s see how to move forward. Thanks, Ludo’.
Re: Why is greetd greeter user in so many groups?
Hello, This change broke greetd on my side as I am using it with gtkgreet. While greetd is running as root, specific greeter started by it is not. This many groups was required to: - make it able starting graphical greeters with user greeter - access to seatd's socket file I admit that, initially it was not clear what is needed, and how. But now it is ok, I suggest to make groups configurable for both greetd (56699) and seatd (56690). This way is most flexible as how user prefers to use them. Could your please have a look at these? Once we done, I would like to submit at least gtkgreet as well. Thanks in advance, muradm Lars-Dominik Braun writes: Hi, Sounds good, thanks for the fix! d921516f50a946e92f9d5dc6d3bd49aca9788ac2 services: greetd: Remove unnecessary user groups. Cheers, Lars signature.asc Description: PGP signature
Re: Why is greetd greeter user in so many groups?
Hi, > Sounds good, thanks for the fix! d921516f50a946e92f9d5dc6d3bd49aca9788ac2 services: greetd: Remove unnecessary user groups. Cheers, Lars
Re: Why is greetd greeter user in so many groups?
Hi Lars, On Wed, Jun 29 2022, 09:41:51 AM +0200 Lars-Dominik Braun wrote: > indeed, agreety works fine with that patch. I’d still keep the video > supplementary group, so one can run gtkgreet/wlgreet (if they ever pop > up in Guix). Any objections? Sounds good, thanks for the fix!
Re: Why is greetd greeter user in so many groups?
Hi, > Since greetd is currently being run as root, it doesn't need any > extra group membership. indeed, agreety works fine with that patch. I’d still keep the video supplementary group, so one can run gtkgreet/wlgreet (if they ever pop up in Guix). Any objections? Cheers, Lars
Re: Why is greetd greeter user in so many groups?
Lars-Dominik Braun writes:
oh, I guess they are written by greetd, not the greeter
itself. Does
greetd work without the groups in questions? (I don’t have
access to
a powerful machine right now to test it.)
Since greetd is currently being run as root, it doesn't need any
extra group membership.
I'm using the following patch with no observed change in behavior:
--8<---cut here---start->8---
diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index d58afb27e3..e9be2b9df1 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -2912,8 +2912,11 @@ (define
(make-greetd-terminal-configuration-file config)
(define %greetd-accounts
(list (user-account
(name "greeter")
- (group "wheel")
- (supplementary-groups '("users" "tty" "input" "video"
"audio"))
+ (group "greeter")
+ (supplementary-groups '())
+ (system? #t))
+(user-group
+ (name "greeter")
(system? #t
(define %greetd-file-systems
--8<---cut here---end--->8---
-bjc
Re: Why is greetd greeter user in so many groups?
Hi, > Only root can write to /var/log, so wheel is irrelevant. And, indeed, greetd > logs are being written as root: oh, I guess they are written by greetd, not the greeter itself. Does greetd work without the groups in questions? (I don’t have access to a powerful machine right now to test it.) Thanks, Lars
Re: Why is greetd greeter user in so many groups?
Lars-Dominik Braun writes: I believe wheel is necessary to write logs to /var/log, because they don’t go through the syslog. audio maybe for GTK-based greeter with accessibility (i.e. TTS), but I’m not sure to be honest. Only root can write to /var/log, so wheel is irrelevant. And, indeed, greetd logs are being written as root: --8<---cut here---start->8--- psyduck:~% ls -la /var/log total 7028 drwxr-xr-x 1 root root 560 Jun 19 14:10 ./ drwxr-xr-x 1 root root 64 Jun 20 18:09 ../ […] -rw-r- 1 root root1694 Jun 20 16:12 greetd-1.log -rw-r- 1 root root8035 Jun 19 21:10 greetd-2.log --8<---cut here---end--->8--- -bjc
Re: Why is greetd greeter user in so many groups?
Hi,
I merged greetd.
> (group "wheel")
> (supplementary-groups '("users" "tty" "input" "video"
> "audio"))
> […]
> I can understand the need for tty and input, but why does the
> greeter user need the wheel and audio?
I believe wheel is necessary to write logs to /var/log, because they
don’t go through the syslog. audio maybe for GTK-based greeter with
accessibility (i.e. TTS), but I’m not sure to be honest.
Lars
Why is greetd greeter user in so many groups?
Hooray, greetd has been merged! [1]
However, according to upstream the greeter user only needs to be in
the video and greeter groups. [2]
Whereas the guix definition for the greeter user has many more groups:
(define %greetd-accounts
(list (user-account
(name "greeter")
(group "wheel")
(supplementary-groups '("users" "tty" "input" "video"
"audio"))
(system? #t
I can understand the need for tty and input, but why does the
greeter user need the wheel and audio?
1. https://issues.guix.gnu.org/49969
2. https://git.sr.ht/~kennylevinsen/greetd/#manually-from-source
