[PATCH 1/2] host/rootfs: add root-terminal s6-sudod service

[PATCH 1/2] host/rootfs: add root-terminal s6-sudod service

[Alyssa Ross]

This will be needed as an interim measure to allow Weston itself to be
run as non-root, without the user losing access to root entirely in
the graphical environment.  Currently, only root can access this
service, so it's redundant, but we can later make the socket
accessible to Weston's user.

Signed-off-by: Alyssa Ross <hi@alyssa.is>
---
 host/rootfs/file-list.mk                          |  3 +++
 .../service/root-terminal/notification-fd         |  1 +
 .../service/root-terminal/notification-fd.license |  2 ++
 .../run-image/service/root-terminal/run           | 15 +++++++++++++++
 host/rootfs/image/etc/xdg/weston/weston.ini       |  4 ++--
 host/rootfs/image/usr/bin/root-terminal           |  5 +++++
 6 files changed, 28 insertions(+), 2 deletions(-)
 create mode 100644 host/rootfs/image/etc/s6-linux-init/run-image/service/root-terminal/notification-fd
 create mode 100644 host/rootfs/image/etc/s6-linux-init/run-image/service/root-terminal/notification-fd.license
 create mode 100755 host/rootfs/image/etc/s6-linux-init/run-image/service/root-terminal/run
 create mode 100755 host/rootfs/image/usr/bin/root-terminal

diff --git a/host/rootfs/file-list.mk b/host/rootfs/file-list.mk
index 6ab78e6b..f69775d2 100644
--- a/host/rootfs/file-list.mk
+++ b/host/rootfs/file-list.mk
@@ -15,6 +15,8 @@ FILES = \
 	image/etc/s6-linux-init/run-image/service/getty-tty2/run \
 	image/etc/s6-linux-init/run-image/service/getty-tty3/run \
 	image/etc/s6-linux-init/run-image/service/getty-tty4/run \
+	image/etc/s6-linux-init/run-image/service/root-terminal/notification-fd \
+	image/etc/s6-linux-init/run-image/service/root-terminal/run \
 	image/etc/s6-linux-init/run-image/service/s6-linux-init-shutdownd/notification-fd \
 	image/etc/s6-linux-init/run-image/service/s6-linux-init-shutdownd/run \
 	image/etc/s6-linux-init/run-image/service/s6-svscan-log/notification-fd \
@@ -54,6 +56,7 @@ FILES = \
 	image/etc/xdg/weston/weston.ini \
 	image/usr/bin/assign-devices \
 	image/usr/bin/create-vm-dependencies \
+	image/usr/bin/root-terminal \
 	image/usr/bin/run-appimage \
 	image/usr/bin/run-flatpak \
 	image/usr/bin/run-vmm \
diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/root-terminal/notification-fd b/host/rootfs/image/etc/s6-linux-init/run-image/service/root-terminal/notification-fd
new file mode 100644
index 00000000..00750edc
--- /dev/null
+++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/root-terminal/notification-fd
@@ -0,0 +1 @@
+3
diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/root-terminal/notification-fd.license b/host/rootfs/image/etc/s6-linux-init/run-image/service/root-terminal/notification-fd.license
new file mode 100644
index 00000000..0d3d47ca
--- /dev/null
+++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/root-terminal/notification-fd.license
@@ -0,0 +1,2 @@
+SPDX-License-Identifier: CC0-1.0
+SPDX-FileCopyrightText: 2025 Alyssa Ross <hi@alyssa.is>
diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/root-terminal/run b/host/rootfs/image/etc/s6-linux-init/run-image/service/root-terminal/run
new file mode 100755
index 00000000..67ccfb45
--- /dev/null
+++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/root-terminal/run
@@ -0,0 +1,15 @@
+#!/bin/execlineb -PW
+# SPDX-License-Identifier: EUPL-1.2+
+# SPDX-FileCopyrightText: 2025 Alyssa Ross <hi@alyssa.is>
+
+s6-ipcserver-socketbinder -a 0700 /run/root-terminal
+
+fdmove 1 3
+s6-ipcserverd -1P
+
+exec -c
+/bin/export PATH /usr/bin
+/bin/export WAYLAND_DISPLAY ""
+s6-sudod
+cd /
+weston-terminal
diff --git a/host/rootfs/image/etc/xdg/weston/weston.ini b/host/rootfs/image/etc/xdg/weston/weston.ini
index a1f630cf..a4763c6d 100644
--- a/host/rootfs/image/etc/xdg/weston/weston.ini
+++ b/host/rootfs/image/etc/xdg/weston/weston.ini
@@ -6,8 +6,8 @@ path=/etc/xdg/weston/autolaunch
 
 [launcher]
 icon=/usr/share/weston/icon_terminal.png
-displayname=Terminal
-path=/bin/weston-terminal
+displayname=Root Terminal
+path=/bin/root-terminal
 
 [launcher]
 icon=/usr/share/icons/hicolor/20x20/apps/com.system76.CosmicFiles.png
diff --git a/host/rootfs/image/usr/bin/root-terminal b/host/rootfs/image/usr/bin/root-terminal
new file mode 100755
index 00000000..4f2874d1
--- /dev/null
+++ b/host/rootfs/image/usr/bin/root-terminal
@@ -0,0 +1,5 @@
+#!/bin/execlineb -Ws0
+# SPDX-License-Identifier: EUPL-1.2+
+# SPDX-FileCopyrightText: 2025 Alyssa Ross <hi@alyssa.is>
+
+s6-sudo -- /run/root-terminal $@
-- 
2.51.0

[PATCH 2/2] host/rootfs: weston: run as non-root

[Alyssa Ross]

WAYLAND_DISPLAY is moved from /run/wayland to /run/wayland/wayland
because the wayland user doesn't have permission to create a file in
/run.

Signed-off-by: Alyssa Ross <hi@alyssa.is>
---
 host/rootfs/image/etc/s6-linux-init/env/WAYLAND_DISPLAY     | 2 +-
 host/rootfs/image/etc/s6-linux-init/run-image/etc/group     | 6 +++---
 host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd    | 1 +
 .../etc/s6-linux-init/run-image/service/root-terminal/run   | 2 ++
 host/rootfs/image/etc/s6-rc/weston/run                      | 3 +++
 5 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/host/rootfs/image/etc/s6-linux-init/env/WAYLAND_DISPLAY b/host/rootfs/image/etc/s6-linux-init/env/WAYLAND_DISPLAY
index bbd390c4..111060fc 100644
--- a/host/rootfs/image/etc/s6-linux-init/env/WAYLAND_DISPLAY
+++ b/host/rootfs/image/etc/s6-linux-init/env/WAYLAND_DISPLAY
@@ -1 +1 @@
-/run/wayland
+/run/wayland/wayland
diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/etc/group b/host/rootfs/image/etc/s6-linux-init/run-image/etc/group
index fe72eb76..019f5525 100644
--- a/host/rootfs/image/etc/s6-linux-init/run-image/etc/group
+++ b/host/rootfs/image/etc/s6-linux-init/run-image/etc/group
@@ -2,9 +2,9 @@ root:x:0:root
 clock:x:1:
 dialout:x:2:
 kmem:x:3:
-input:x:4:
+input:x:4:wayland
 tty:x:5:
-video:x:6:
+video:x:6:wayland
 render:x:7:
 sgx:x:8:
 audio:x:9:
@@ -13,4 +13,4 @@ disk:x:11:
 cdrom:x:12:
 tape:x:13:
 kvm:x:14:
-wayland:x:15:
+wayland:x:15:wayland
diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd b/host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd
index 29f3b252..50def56d 100644
--- a/host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd
+++ b/host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd
@@ -1 +1,2 @@
 root:x:0:0:System administrator:/:/bin/sh
+wayland:x:15:15:Wayland compositor:/:/bin/nologin
diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/root-terminal/run b/host/rootfs/image/etc/s6-linux-init/run-image/service/root-terminal/run
index 67ccfb45..86b9a1ef 100755
--- a/host/rootfs/image/etc/s6-linux-init/run-image/service/root-terminal/run
+++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/root-terminal/run
@@ -4,6 +4,8 @@
 
 s6-ipcserver-socketbinder -a 0700 /run/root-terminal
 
+if { chown wayland /run/root-terminal }
+
 fdmove 1 3
 s6-ipcserverd -1P
 
diff --git a/host/rootfs/image/etc/s6-rc/weston/run b/host/rootfs/image/etc/s6-rc/weston/run
index 2674ec0b..7d10b5b4 100644
--- a/host/rootfs/image/etc/s6-rc/weston/run
+++ b/host/rootfs/image/etc/s6-rc/weston/run
@@ -34,10 +34,13 @@ backtick HOME {
   homeof $user
 }
 
+if { install -do wayland -g wayland -m 0770 /run/wayland }
+if { chown wayland /dev/tty0 /dev/tty1 }
 redirfd -r 0 /dev/tty1
 
 importas -i home HOME
 cd $home
 if { udevadm wait /dev/dri/card0 }
 unshare --cgroup --ipc --net --uts
+s6-setuidgid wayland
 weston -S $WAYLAND_DISPLAY
-- 
2.51.0

Re: [PATCH 2/2] host/rootfs: weston: run as non-root

[Demi Marie Obenour]

[-- Attachment #1.1.1: Type: text/plain, Size: 3286 bytes --]

On 12/9/25 13:24, Alyssa Ross wrote:
> WAYLAND_DISPLAY is moved from /run/wayland to /run/wayland/wayland
> because the wayland user doesn't have permission to create a file in
> /run.
> 
> Signed-off-by: Alyssa Ross <hi@alyssa.is>
> ---
>  host/rootfs/image/etc/s6-linux-init/env/WAYLAND_DISPLAY     | 2 +-
>  host/rootfs/image/etc/s6-linux-init/run-image/etc/group     | 6 +++---
>  host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd    | 1 +
>  .../etc/s6-linux-init/run-image/service/root-terminal/run   | 2 ++
>  host/rootfs/image/etc/s6-rc/weston/run                      | 3 +++
>  5 files changed, 10 insertions(+), 4 deletions(-)
> 
> diff --git a/host/rootfs/image/etc/s6-linux-init/env/WAYLAND_DISPLAY b/host/rootfs/image/etc/s6-linux-init/env/WAYLAND_DISPLAY
> index bbd390c4..111060fc 100644
> --- a/host/rootfs/image/etc/s6-linux-init/env/WAYLAND_DISPLAY
> +++ b/host/rootfs/image/etc/s6-linux-init/env/WAYLAND_DISPLAY
> @@ -1 +1 @@
> -/run/wayland
> +/run/wayland/wayland
> diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/etc/group b/host/rootfs/image/etc/s6-linux-init/run-image/etc/group
> index fe72eb76..019f5525 100644
> --- a/host/rootfs/image/etc/s6-linux-init/run-image/etc/group
> +++ b/host/rootfs/image/etc/s6-linux-init/run-image/etc/group
> @@ -2,9 +2,9 @@ root:x:0:root
>  clock:x:1:
>  dialout:x:2:
>  kmem:x:3:
> -input:x:4:
> +input:x:4:wayland
>  tty:x:5:
> -video:x:6:
> +video:x:6:wayland
>  render:x:7:
>  sgx:x:8:
>  audio:x:9:
> @@ -13,4 +13,4 @@ disk:x:11:
>  cdrom:x:12:
>  tape:x:13:
>  kvm:x:14:
> -wayland:x:15:
> +wayland:x:15:wayland
> diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd b/host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd
> index 29f3b252..50def56d 100644
> --- a/host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd
> +++ b/host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd
> @@ -1 +1,2 @@
>  root:x:0:0:System administrator:/:/bin/sh
> +wayland:x:15:15:Wayland compositor:/:/bin/nologin
> diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/root-terminal/run b/host/rootfs/image/etc/s6-linux-init/run-image/service/root-terminal/run
> index 67ccfb45..86b9a1ef 100755
> --- a/host/rootfs/image/etc/s6-linux-init/run-image/service/root-terminal/run
> +++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/root-terminal/run
> @@ -4,6 +4,8 @@
>  
>  s6-ipcserver-socketbinder -a 0700 /run/root-terminal
>  
> +if { chown wayland /run/root-terminal }
> +
>  fdmove 1 3
>  s6-ipcserverd -1P
>  
> diff --git a/host/rootfs/image/etc/s6-rc/weston/run b/host/rootfs/image/etc/s6-rc/weston/run
> index 2674ec0b..7d10b5b4 100644
> --- a/host/rootfs/image/etc/s6-rc/weston/run
> +++ b/host/rootfs/image/etc/s6-rc/weston/run
> @@ -34,10 +34,13 @@ backtick HOME {
>    homeof $user
>  }
>  
> +if { install -do wayland -g wayland -m 0770 /run/wayland }
> +if { chown wayland /dev/tty0 /dev/tty1 }

Why chown and not setfacl?

>  redirfd -r 0 /dev/tty1
>  
>  importas -i home HOME
>  cd $home
>  if { udevadm wait /dev/dri/card0 }
>  unshare --cgroup --ipc --net --uts
> +s6-setuidgid wayland
>  weston -S $WAYLAND_DISPLAY


-- 
Sincerely,
Demi Marie Obenour (she/her/hers)

[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 7253 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [PATCH 2/2] host/rootfs: weston: run as non-root

[Alyssa Ross]

[-- Attachment #1: Type: text/plain, Size: 3186 bytes --]

Demi Marie Obenour <demiobenour@gmail.com> writes:

> On 12/9/25 13:24, Alyssa Ross wrote:
>> WAYLAND_DISPLAY is moved from /run/wayland to /run/wayland/wayland
>> because the wayland user doesn't have permission to create a file in
>> /run.
>> 
>> Signed-off-by: Alyssa Ross <hi@alyssa.is>
>> ---
>>  host/rootfs/image/etc/s6-linux-init/env/WAYLAND_DISPLAY     | 2 +-
>>  host/rootfs/image/etc/s6-linux-init/run-image/etc/group     | 6 +++---
>>  host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd    | 1 +
>>  .../etc/s6-linux-init/run-image/service/root-terminal/run   | 2 ++
>>  host/rootfs/image/etc/s6-rc/weston/run                      | 3 +++
>>  5 files changed, 10 insertions(+), 4 deletions(-)
>> 
>> diff --git a/host/rootfs/image/etc/s6-linux-init/env/WAYLAND_DISPLAY b/host/rootfs/image/etc/s6-linux-init/env/WAYLAND_DISPLAY
>> index bbd390c4..111060fc 100644
>> --- a/host/rootfs/image/etc/s6-linux-init/env/WAYLAND_DISPLAY
>> +++ b/host/rootfs/image/etc/s6-linux-init/env/WAYLAND_DISPLAY
>> @@ -1 +1 @@
>> -/run/wayland
>> +/run/wayland/wayland
>> diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/etc/group b/host/rootfs/image/etc/s6-linux-init/run-image/etc/group
>> index fe72eb76..019f5525 100644
>> --- a/host/rootfs/image/etc/s6-linux-init/run-image/etc/group
>> +++ b/host/rootfs/image/etc/s6-linux-init/run-image/etc/group
>> @@ -2,9 +2,9 @@ root:x:0:root
>>  clock:x:1:
>>  dialout:x:2:
>>  kmem:x:3:
>> -input:x:4:
>> +input:x:4:wayland
>>  tty:x:5:
>> -video:x:6:
>> +video:x:6:wayland
>>  render:x:7:
>>  sgx:x:8:
>>  audio:x:9:
>> @@ -13,4 +13,4 @@ disk:x:11:
>>  cdrom:x:12:
>>  tape:x:13:
>>  kvm:x:14:
>> -wayland:x:15:
>> +wayland:x:15:wayland
>> diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd b/host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd
>> index 29f3b252..50def56d 100644
>> --- a/host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd
>> +++ b/host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd
>> @@ -1 +1,2 @@
>>  root:x:0:0:System administrator:/:/bin/sh
>> +wayland:x:15:15:Wayland compositor:/:/bin/nologin
>> diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/root-terminal/run b/host/rootfs/image/etc/s6-linux-init/run-image/service/root-terminal/run
>> index 67ccfb45..86b9a1ef 100755
>> --- a/host/rootfs/image/etc/s6-linux-init/run-image/service/root-terminal/run
>> +++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/root-terminal/run
>> @@ -4,6 +4,8 @@
>>  
>>  s6-ipcserver-socketbinder -a 0700 /run/root-terminal
>>  
>> +if { chown wayland /run/root-terminal }
>> +
>>  fdmove 1 3
>>  s6-ipcserverd -1P
>>  
>> diff --git a/host/rootfs/image/etc/s6-rc/weston/run b/host/rootfs/image/etc/s6-rc/weston/run
>> index 2674ec0b..7d10b5b4 100644
>> --- a/host/rootfs/image/etc/s6-rc/weston/run
>> +++ b/host/rootfs/image/etc/s6-rc/weston/run
>> @@ -34,10 +34,13 @@ backtick HOME {
>>    homeof $user
>>  }
>>  
>> +if { install -do wayland -g wayland -m 0770 /run/wayland }
>> +if { chown wayland /dev/tty0 /dev/tty1 }
>
> Why chown and not setfacl?

Why setfacl and not chown?

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

Re: [PATCH 2/2] host/rootfs: weston: run as non-root

[Demi Marie Obenour]

[-- Attachment #1.1.1: Type: text/plain, Size: 1771 bytes --]

On 12/9/25 14:50, Alyssa Ross wrote:
> Demi Marie Obenour <demiobenour@gmail.com> writes:
> 
>> On 12/9/25 13:24, Alyssa Ross wrote:

(snip)

>>> diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd b/host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd
>>> index 29f3b252..50def56d 100644
>>> --- a/host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd
>>> +++ b/host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd
>>> @@ -1 +1,2 @@
>>>  root:x:0:0:System administrator:/:/bin/sh
>>> +wayland:x:15:15:Wayland compositor:/:/bin/nologin
>>> diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/root-terminal/run b/host/rootfs/image/etc/s6-linux-init/run-image/service/root-terminal/run
>>> index 67ccfb45..86b9a1ef 100755
>>> --- a/host/rootfs/image/etc/s6-linux-init/run-image/service/root-terminal/run
>>> +++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/root-terminal/run
>>> @@ -4,6 +4,8 @@
>>>  
>>>  s6-ipcserver-socketbinder -a 0700 /run/root-terminal
>>>  
>>> +if { chown wayland /run/root-terminal }
>>> +
>>>  fdmove 1 3
>>>  s6-ipcserverd -1P
>>>  
>>> diff --git a/host/rootfs/image/etc/s6-rc/weston/run b/host/rootfs/image/etc/s6-rc/weston/run
>>> index 2674ec0b..7d10b5b4 100644
>>> --- a/host/rootfs/image/etc/s6-rc/weston/run
>>> +++ b/host/rootfs/image/etc/s6-rc/weston/run
>>> @@ -34,10 +34,13 @@ backtick HOME {
>>>    homeof $user
>>>  }
>>>  
>>> +if { install -do wayland -g wayland -m 0770 /run/wayland }
>>> +if { chown wayland /dev/tty0 /dev/tty1 }
>>
>> Why chown and not setfacl?
> 
> Why setfacl and not chown?

Having a real device node owned by non-root is weird, and systemd-udevd
uses ACLs.
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)

[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 7253 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [PATCH 2/2] host/rootfs: weston: run as non-root

[Alyssa Ross]

[-- Attachment #1: Type: text/plain, Size: 1976 bytes --]

Demi Marie Obenour <demiobenour@gmail.com> writes:

> On 12/9/25 14:50, Alyssa Ross wrote:
>> Demi Marie Obenour <demiobenour@gmail.com> writes:
>> 
>>> On 12/9/25 13:24, Alyssa Ross wrote:
>
> (snip)
>
>>>> diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd b/host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd
>>>> index 29f3b252..50def56d 100644
>>>> --- a/host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd
>>>> +++ b/host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd
>>>> @@ -1 +1,2 @@
>>>>  root:x:0:0:System administrator:/:/bin/sh
>>>> +wayland:x:15:15:Wayland compositor:/:/bin/nologin
>>>> diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/root-terminal/run b/host/rootfs/image/etc/s6-linux-init/run-image/service/root-terminal/run
>>>> index 67ccfb45..86b9a1ef 100755
>>>> --- a/host/rootfs/image/etc/s6-linux-init/run-image/service/root-terminal/run
>>>> +++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/root-terminal/run
>>>> @@ -4,6 +4,8 @@
>>>>  
>>>>  s6-ipcserver-socketbinder -a 0700 /run/root-terminal
>>>>  
>>>> +if { chown wayland /run/root-terminal }
>>>> +
>>>>  fdmove 1 3
>>>>  s6-ipcserverd -1P
>>>>  
>>>> diff --git a/host/rootfs/image/etc/s6-rc/weston/run b/host/rootfs/image/etc/s6-rc/weston/run
>>>> index 2674ec0b..7d10b5b4 100644
>>>> --- a/host/rootfs/image/etc/s6-rc/weston/run
>>>> +++ b/host/rootfs/image/etc/s6-rc/weston/run
>>>> @@ -34,10 +34,13 @@ backtick HOME {
>>>>    homeof $user
>>>>  }
>>>>  
>>>> +if { install -do wayland -g wayland -m 0770 /run/wayland }
>>>> +if { chown wayland /dev/tty0 /dev/tty1 }
>>>
>>> Why chown and not setfacl?
>> 
>> Why setfacl and not chown?
>
> Having a real device node owned by non-root is weird, and systemd-udevd
> uses ACLs.

It's not that weird… /dev/tty1 is owned by the user I'm logged in as on
my NixOS system, and I haven't done anything special to make that
happen.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

Re: [PATCH 1/2] host/rootfs: add root-terminal s6-sudod service

[Alyssa Ross]

This patch has been committed as 4f75e6cd2b213f55cca3000eebaca3d003588887,
which can be viewed online at
https://spectrum-os.org/git/spectrum/commit/?id=4f75e6cd2b213f55cca3000eebaca3d003588887.

This is an automated message.  Send comments/questions/requests to:
Alyssa Ross <hi@alyssa.is>

Re: [PATCH 2/2] host/rootfs: weston: run as non-root

[Alyssa Ross]

This patch has been committed as b26f59e2a9067a1e4358f0a079c33f76aff1602f,
which can be viewed online at
https://spectrum-os.org/git/spectrum/commit/?id=b26f59e2a9067a1e4358f0a079c33f76aff1602f.

This is an automated message.  Send comments/questions/requests to:
Alyssa Ross <hi@alyssa.is>