[systemd-devel] [multiseat] How to make automatic ACL creation via udev "uaccess" tag work for seats other than seat0?
Christian Pernegger
pernegger at gmail.com
Thu Aug 31 16:22:23 UTC 2023
Hello,
still trying to get the kinks out of my multiseat setup ...
AFAICT the proper way to give local users access to devices nowadays
is via udev and the "uaccess" tag: devices with this tag set should
automagically get an ACL entry that gives access to users with active
sessions. This works brilliantly for seat0, but not for seat1 (and
above, I presume).
E.g.
P: /devices/virtual/misc/rfkill
N: rfkill
L: 0
E: DEVPATH=/devices/virtual/misc/rfkill
E: SUBSYSTEM=misc
E: DEVNAME=/dev/rfkill
E: MAJOR=10
E: MINOR=242
E: USEC_INITIALIZED=954210
E: SYSTEMD_WANTS=systemd-rfkill.socket
E: TAGS=:systemd:uaccess:seat:shared:
E: CURRENT_TAGS=:systemd:uaccess:seat:shared:
At login screens:
# file: dev/rfkill
# owner: root
# group: root
user::rw-
user:gdm:rw- # *** [my emph.]
group::rw-
mask::rw-
other::rw-
Logged in on seat0:
At login screens:
# file: dev/rfkill
# owner: root
# group: root
user::rw-
user:chris:rw- # *** ["switches" to user]
group::rw-
mask::rw-
other::rw-
Logged in on seat1 instead:
# file: dev/rfkill
# owner: root
# group: root
user::rw-
user:gdm:rw- # *** [sticks to gdm]
group::rw-
mask::rw-
other::rw-
The GNOME BT control panel doesn't work unless the logged-in user has
write access to /dev/rfkill, which is how I originally came across
this.
But it's the same for the /dev/dri/renderD* devices. The seat to which
the matching card belongs has access some other way, but the other
seat does not; if you do give both seats access, both can use both
cards in vulkan applications, for example. I see there are other files
under /dev that have the ACL "+", looks like it's the same for them.
(I wonder if that's why I can't switch virtual consoles on seat1 even
though fbcon is mapped to that.)
Anyway, I know I can just override the permissions or use the old
group way of doing things, but I'd prefer to fix things properly. The
symptoms of wrong device permissions can be insidious.
Kind regards,
Christian Pernegger
More information about the systemd-devel
mailing list