<div dir="ltr">Oops, sorry, I didn't consider that and I should have. Mods should remove this patch.<div><br><div>But anyway, does that mean every compositor should provide its own version of weston-launch or require systemd-login?</div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Mar 19, 2018 at 12:24 PM, Pekka Paalanen <span dir="ltr"><<a href="mailto:ppaalanen@gmail.com" target="_blank">ppaalanen@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="HOEnZb"><div class="h5">On Mon, 19 Mar 2018 11:41:46 +0200<br>
Ilia Bozhinov <<a href="mailto:ammen99@gmail.com">ammen99@gmail.com</a>> wrote:<br>
<br>
> This is helpful for other compositors which utilize libweston without<br>
> systemd-login support.<br>
><br>
> Signed-off-by: Ilia Bozhinov <<a href="mailto:ammen99@gmail.com">ammen99@gmail.com</a>><br>
> ---<br>
> libweston/weston-launch.c | 35 +++++++++++++++++++++---------<wbr>-----<br>
> 1 file changed, 21 insertions(+), 14 deletions(-)<br>
><br>
> diff --git a/libweston/weston-launch.c b/libweston/weston-launch.c<br>
> index 1adcf21a..b8bceea2 100644<br>
> --- a/libweston/weston-launch.c<br>
> +++ b/libweston/weston-launch.c<br>
> @@ -116,6 +116,7 @@ struct weston_launch {<br>
> pid_t child;<br>
> int verbose;<br>
> char *new_user;<br>
> + char *compositor_cmd;<br>
> };<br>
><br>
> union cmsg_data { unsigned char b[4]; int fd; };<br>
> @@ -624,7 +625,7 @@ setup_session(struct weston_launch *wl, char **child_argv)<br>
> child_argv[0] = "/bin/sh";<br>
> child_argv[1] = "-l";<br>
> child_argv[2] = "-c";<br>
> - child_argv[3] = BINDIR "/weston \"$@\"";<br>
> + child_argv[3] = strcat(wl->compositor_cmd ?: BINDIR "/weston", "\"$@\"");<br>
> child_argv[4] = "weston";<br>
> return 5;<br>
> }<br>
> @@ -652,7 +653,7 @@ launch_compositor(struct weston_launch *wl, int argc, char *argv[])<br>
> if (wl->new_user) {<br>
> o = setup_session(wl, child_argv);<br>
> } else {<br>
> - child_argv[0] = BINDIR "/weston";<br>
> + child_argv[0] = wl->compositor_cmd ?: BINDIR "/weston";<br>
> o = 1;<br>
> }<br>
> for (i = 0; i < argc; ++i)<br>
> @@ -683,12 +684,14 @@ static void<br>
> help(const char *name)<br>
> {<br>
> fprintf(stderr, "Usage: %s [args...] [-- [weston args..]]\n", name);<br>
> - fprintf(stderr, " -u, --user Start session as specified username,\n"<br>
> - " e.g. -u joe, requires root.\n");<br>
> - fprintf(stderr, " -t, --tty Start session on alternative tty,\n"<br>
> - " e.g. -t /dev/tty4, requires -u option.\n");<br>
> - fprintf(stderr, " -v, --verbose Be verbose\n");<br>
> - fprintf(stderr, " -h, --help Display this help message\n");<br>
> + fprintf(stderr, " -u, --user Start session as specified username,\n"<br>
> + " e.g. -u joe, requires root.\n");<br>
> + fprintf(stderr, " -t, --tty Start session on alternative tty,\n"<br>
> + " e.g. -t /dev/tty4, requires -u option.\n");<br>
> + fprintf(stderr, " -c, --compositor Start a compositor other than weston,\n"<br>
> + " e.g. -c /usr/bin/weston.\n");<br>
> + fprintf(stderr, " -v, --verbose Be verbose\n");<br>
> + fprintf(stderr, " -h, --help Display this help message\n");<br>
> }<br>
<br>
</div></div>Hi,<br>
<br>
I do not think we can do this. weston-launch is a setuid-root program,<br>
which gives the program it launches special privileges to e.g. open<br>
input devices. If we do not restrict the possible programs it can<br>
launch, anyone who can run weston-launch will be able to spy on all<br>
input devices by using weston-launch to run a spy program.<br>
<br>
If we had a trusted list of compositor binaries in trusted system<br>
paths (a la /etc/shells), then that might work, but I don't trust<br>
myself enough to say it would be a secure solution.<br>
<br>
<br>
Thanks,<br>
pq<br>
</blockquote></div><br></div>