[RFC] weston-launch: add option to start compositors other than weston

Ilia Bozhinov ammen99 at gmail.com
Mon Mar 19 10:33:27 UTC 2018


Oops, sorry, I didn't consider that and I should have. Mods should remove
this patch.

But anyway, does that mean every compositor should provide its own version
of weston-launch or require systemd-login?

On Mon, Mar 19, 2018 at 12:24 PM, Pekka Paalanen <ppaalanen at gmail.com>
wrote:

> On Mon, 19 Mar 2018 11:41:46 +0200
> Ilia Bozhinov <ammen99 at gmail.com> wrote:
>
> > This is helpful for other compositors which utilize libweston without
> > systemd-login support.
> >
> > Signed-off-by: Ilia Bozhinov <ammen99 at gmail.com>
> > ---
> >  libweston/weston-launch.c | 35 +++++++++++++++++++++--------------
> >  1 file changed, 21 insertions(+), 14 deletions(-)
> >
> > diff --git a/libweston/weston-launch.c b/libweston/weston-launch.c
> > index 1adcf21a..b8bceea2 100644
> > --- a/libweston/weston-launch.c
> > +++ b/libweston/weston-launch.c
> > @@ -116,6 +116,7 @@ struct weston_launch {
> >       pid_t child;
> >       int verbose;
> >       char *new_user;
> > +     char *compositor_cmd;
> >  };
> >
> >  union cmsg_data { unsigned char b[4]; int fd; };
> > @@ -624,7 +625,7 @@ setup_session(struct weston_launch *wl, char
> **child_argv)
> >       child_argv[0] = "/bin/sh";
> >       child_argv[1] = "-l";
> >       child_argv[2] = "-c";
> > -     child_argv[3] = BINDIR "/weston \"$@\"";
> > +     child_argv[3] = strcat(wl->compositor_cmd ?: BINDIR "/weston",
> "\"$@\"");
> >       child_argv[4] = "weston";
> >       return 5;
> >  }
> > @@ -652,7 +653,7 @@ launch_compositor(struct weston_launch *wl, int
> argc, char *argv[])
> >       if (wl->new_user) {
> >               o = setup_session(wl, child_argv);
> >       } else {
> > -             child_argv[0] = BINDIR "/weston";
> > +             child_argv[0] = wl->compositor_cmd ?: BINDIR "/weston";
> >               o = 1;
> >       }
> >       for (i = 0; i < argc; ++i)
> > @@ -683,12 +684,14 @@ static void
> >  help(const char *name)
> >  {
> >       fprintf(stderr, "Usage: %s [args...] [-- [weston args..]]\n",
> name);
> > -     fprintf(stderr, "  -u, --user      Start session as specified
> username,\n"
> > -                     "                  e.g. -u joe, requires root.\n");
> > -     fprintf(stderr, "  -t, --tty       Start session on alternative
> tty,\n"
> > -                     "                  e.g. -t /dev/tty4, requires -u
> option.\n");
> > -     fprintf(stderr, "  -v, --verbose   Be verbose\n");
> > -     fprintf(stderr, "  -h, --help      Display this help message\n");
> > +     fprintf(stderr, "  -u, --user       Start session as specified
> username,\n"
> > +                     "                   e.g. -u joe, requires
> root.\n");
> > +     fprintf(stderr, "  -t, --tty        Start session on alternative
> tty,\n"
> > +                     "                   e.g. -t /dev/tty4, requires -u
> option.\n");
> > +     fprintf(stderr, "  -c, --compositor Start a compositor other than
> weston,\n"
> > +                     "                   e.g. -c /usr/bin/weston.\n");
> > +     fprintf(stderr, "  -v, --verbose    Be verbose\n");
> > +     fprintf(stderr, "  -h, --help       Display this help message\n");
> >  }
>
> Hi,
>
> I do not think we can do this. weston-launch is a setuid-root program,
> which gives the program it launches special privileges to e.g. open
> input devices. If we do not restrict the possible programs it can
> launch, anyone who can run weston-launch will be able to spy on all
> input devices by using weston-launch to run a spy program.
>
> If we had a trusted list of compositor binaries in trusted system
> paths (a la /etc/shells), then that might work, but I don't trust
> myself enough to say it would be a secure solution.
>
>
> Thanks,
> pq
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/wayland-devel/attachments/20180319/4405a427/attachment-0001.html>


More information about the wayland-devel mailing list