[systemd-devel] Creating a fake logind seat with no devices [Experiment]
nerdopolis
bluescreen_avenger at verizon.net
Mon Aug 3 03:58:34 UTC 2020
On Thursday, July 30, 2020 5:00:27 AM EDT Arseny Maslennikov wrote:
> On Wed, Jul 29, 2020 at 11:17:51PM -0400, nerdopolis wrote:
> > I am pretty much trying to cobble together tmux, cage, and vte, to create a full screen VT-like
> > console lookalike. (as the kernel one takes input from all devices from all seats on a multiseat
> > system). Mostly experimental.
>
> Instead of cage + vte, have you tried the following:
>
> https://github.com/Aetf/kmscon/
>
> This is a fork (should I say, continuation?) of kmscon which builds from
> source successfully on modern distributions.
>
> From then on you can run tmux there.
>
> Some distros even provide packages:
> https://aur.archlinux.org/packages/kmscon-patched-git/
> http://git.altlinux.org/gears/k/kmscon.git
>
> I can confirm it worked for me as a VT replacement on a single seat and
> properly integrated with logind, but I don't have the hardware to test a
> multi-seat configuration.
>
> > (tmux server/client being used to avoid having to start vte and cage as root for /sbin/login)
> >
> >
> > The problem is that the tmux PTY running /sbin/login , those sessions don't properly create a full
> > pam_systemd sessions on seat0, as I get "VT number out of range", because as I understand seat0
> > sessions need to be on a valid TTY. Non-seat0 seats don't have this restriction, but non-seat0
> > seat hardware is far from a guarantee
> >
> >
> > However I will note so far the only major side effect I notice to not having (sd-pam) started in
> > this session is, for instance `pkexec` won't work, without sudo. And systemctl doesn't try to use
> > PolicyKit and whatnot, as from what I understand, that needs to be on a session assigned to a seat
> > to work I think
> >
> > Thanks
> >
> >
Hi
I wasn't aware that there was that recentish of a fork of kmscon. Interesting. It does run as root
though.
Now testing with it, it actually help me figure out what I had wrong. I just needed (in addition to
Environment=XDG_SEAT=seat0 ) was to set XDG_VTNR=x before running /sbin/login and when logging in a
full session with policykit working.
(So I was tilting at the wrong windmill thinking it couldn't be done on seat0)
However this ends up causing some conflicts, as logind sees it as two sessions on one TTY, and it
tries to activate the second one most of the time, so the non-root display server ends up in an
inactive state.
I was trying an experiment where the display server and the (graphical) terminal emulator could
provide something like KMSCON, but not run as root, and provide a valid login prompt. However I
realize also that if bad terminal output could get some kind of (theoretical) VTE exploit to run
arbitrary code, they will just be able to send commands to start a new session on the tmux socket.
So I guess I solved the problem I initially had.
Dang.
Thanks.
More information about the systemd-devel
mailing list