[systemd-devel] [multiseat] How to make automatic ACL creation via udev "uaccess" tag work for seats other than seat0?
Andrei Borzenkov
arvidjaar at gmail.com
Thu Aug 31 18:37:12 UTC 2023
On 31.08.2023 19:22, Christian Pernegger wrote:
> Hello,
>
> still trying to get the kinks out of my multiseat setup ...
>
> AFAICT the proper way to give local users access to devices nowadays
> is via udev and the "uaccess" tag: devices with this tag set should
> automagically get an ACL entry that gives access to users with active
> sessions. This works brilliantly for seat0, but not for seat1 (and
> above, I presume).
>
> E.g.
> P: /devices/virtual/misc/rfkill
> N: rfkill
> L: 0
> E: DEVPATH=/devices/virtual/misc/rfkill
> E: SUBSYSTEM=misc
> E: DEVNAME=/dev/rfkill
> E: MAJOR=10
> E: MINOR=242
> E: USEC_INITIALIZED=954210
> E: SYSTEMD_WANTS=systemd-rfkill.socket
> E: TAGS=:systemd:uaccess:seat:shared:
> E: CURRENT_TAGS=:systemd:uaccess:seat:shared:
>
There is no ID_SEAT, so this device belongs to seat0 by default.
> At login screens:
> # file: dev/rfkill
> # owner: root
> # group: root
> user::rw-
> user:gdm:rw- # *** [my emph.]
> group::rw-
> mask::rw-
> other::rw-
>
> Logged in on seat0:
> At login screens:
> # file: dev/rfkill
> # owner: root
> # group: root
> user::rw-
> user:chris:rw- # *** ["switches" to user]
> group::rw-
> mask::rw-
> other::rw-
>
> Logged in on seat1 instead:
> # file: dev/rfkill
> # owner: root
> # group: root
> user::rw-
> user:gdm:rw- # *** [sticks to gdm]
> group::rw-
> mask::rw-
> other::rw-
>
This device belongs to seat0, so it is ignored when requested to change
permissions for seat1.
> The GNOME BT control panel doesn't work unless the logged-in user has
> write access to /dev/rfkill, which is how I originally came across
> this.
> But it's the same for the /dev/dri/renderD* devices. The seat to which
> the matching card belongs has access some other way, but the other
> seat does not; if you do give both seats access, both can use both
> cards in vulkan applications, for example. I see there are other files
> under /dev that have the ACL "+", looks like it's the same for them.
> (I wonder if that's why I can't switch virtual consoles on seat1 even
> though fbcon is mapped to that.)
>
> Anyway, I know I can just override the permissions or use the old
> group way of doing things, but I'd prefer to fix things properly. The
> symptoms of wrong device permissions can be insidious.
>
You need to assign your device to the correct seat.
More information about the systemd-devel
mailing list