From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from atuin.qyliss.net (localhost [IPv6:::1]) by atuin.qyliss.net (Postfix) with ESMTP id 70C541920A; Tue, 09 Dec 2025 19:51:21 +0000 (UTC) Received: by atuin.qyliss.net (Postfix, from userid 993) id 89C7519200; Tue, 09 Dec 2025 19:51:19 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net X-Spam-Level: X-Spam-Status: No, score=-0.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DMARC_MISSING,RCVD_IN_DNSWL_LOW,SPF_HELO_PASS autolearn=unavailable autolearn_force=no version=4.0.1 Received: from fout-a4-smtp.messagingengine.com (fout-a4-smtp.messagingengine.com [103.168.172.147]) by atuin.qyliss.net (Postfix) with ESMTPS id 51953191FF for ; Tue, 09 Dec 2025 19:51:18 +0000 (UTC) Received: from phl-compute-04.internal (phl-compute-04.internal [10.202.2.44]) by mailfout.phl.internal (Postfix) with ESMTP id 32DBCEC03A4; Tue, 9 Dec 2025 14:51:15 -0500 (EST) Received: from phl-mailfrontend-01 ([10.202.2.162]) by phl-compute-04.internal (MEProxy); Tue, 09 Dec 2025 14:51:15 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alyssa.is; h=cc :cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm3; t=1765309875; x=1765396275; bh=4gMHjayXvA Dj+hka3aSCIJhBW7w4RpBqXWL9fIIivb4=; b=nGN6ANgNTgAFuW91UgdJJOwLuV ma4BGpoFJxaFa/4xWNDZPI4BLKqx5d/7lvPREhvEPP27F5nuzcFdOgsK1kMXbxwp mbWocQ4EDOfqWFHlY1iXjCGRCTTvcWP9T+FmjYPH66kC5jno28+9nX+S1XxrBJFK NSpkYEopNTBACMUIZ6P7uVBbgXYfgOMIxgecn4EuW05ClPKvDXAc1lzZGxPutV5O kQBLUaTH3xNqEHODJn4+GvkTBlzHynDuIllUgXEdUjmcDOBv5QkYcpYqxkmRyXZz 1g/+iLJpNqWyGhlOTQI3A8h5noGiOWjGowVQWuQ7SI9vIiACffVIPpYgXj7A== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t= 1765309875; x=1765396275; bh=4gMHjayXvADj+hka3aSCIJhBW7w4RpBqXWL 9fIIivb4=; b=cPD7vuHzaAFpGtBiXfQ027VbbnPbWTXur+vI7X1iiAXRZwM/Pmo Fcfq7Pq2TOrWA0jOuCpcadMO/ZHXSSgc9OpeCRCx5mnJzAibigvSaLyNr1YCKIEY IKjnWayIiY0ilgOUJN4/1bog8vMdOi8gPjKayKKDT1Vf26zmBWm/Dsnmo+MukCNT TvUf3Y6iw3QO229xB4r/wRbM2UFXYEQyA04MbmKddvRNA9VS8vzKJ5qmk2U6/aMY Lrm/XdF2zoKMtGIlF6HsotLaMREblRscJ4G5nYbo4/zVU+HqqVHs+wzJxqOPVGzE +YNTxBPVS3ClopOcnMJAs1JuDb3vcJz3o/Q== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefgedrtddtgddvtdeghecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpuffrtefokffrpgfnqfghnecuuegr ihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjug hrpefhvfevufgjfhffkfggtgesghdtreertddttdenucfhrhhomheptehlhihsshgrucft ohhsshcuoehhihesrghlhihsshgrrdhisheqnecuggftrfgrthhtvghrnhepieduffeuie elgfetgfdttddtkeekheekgfehkedufeevteegfeeiffetvdetueevnecuvehluhhsthgv rhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhephhhisegrlhihshhsrgdrih hspdhnsggprhgtphhtthhopedvpdhmohguvgepshhmthhpohhuthdprhgtphhtthhopegu vghmihhosggvnhhouhhrsehgmhgrihhlrdgtohhmpdhrtghpthhtohepuggvvhgvlhessh hpvggtthhruhhmqdhoshdrohhrgh X-ME-Proxy: Feedback-ID: i12284293:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue, 9 Dec 2025 14:51:14 -0500 (EST) Received: by fw12.qyliss.net (Postfix, from userid 1000) id 71095672BE39; Tue, 09 Dec 2025 20:50:58 +0100 (CET) From: Alyssa Ross To: Demi Marie Obenour Subject: Re: [PATCH 2/2] host/rootfs: weston: run as non-root In-Reply-To: References: <20251209182402.872822-1-hi@alyssa.is> <20251209182402.872822-2-hi@alyssa.is> Date: Tue, 09 Dec 2025 20:50:57 +0100 Message-ID: <878qfbjuxq.fsf@alyssa.is> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Message-ID-Hash: A2PUQTSN3HXH2MRJVDQHAAHRMDLLA6DI X-Message-ID-Hash: A2PUQTSN3HXH2MRJVDQHAAHRMDLLA6DI X-MailFrom: hi@alyssa.is X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1; header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3; header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: devel@spectrum-os.org X-Mailman-Version: 3.3.9 Precedence: list List-Id: Patches and low-level development discussion Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Demi Marie Obenour writes: > On 12/9/25 13:24, Alyssa Ross wrote: >> WAYLAND_DISPLAY is moved from /run/wayland to /run/wayland/wayland >> because the wayland user doesn't have permission to create a file in >> /run. >>=20 >> Signed-off-by: Alyssa Ross >> --- >> host/rootfs/image/etc/s6-linux-init/env/WAYLAND_DISPLAY | 2 +- >> host/rootfs/image/etc/s6-linux-init/run-image/etc/group | 6 +++--- >> host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd | 1 + >> .../etc/s6-linux-init/run-image/service/root-terminal/run | 2 ++ >> host/rootfs/image/etc/s6-rc/weston/run | 3 +++ >> 5 files changed, 10 insertions(+), 4 deletions(-) >>=20 >> diff --git a/host/rootfs/image/etc/s6-linux-init/env/WAYLAND_DISPLAY b/h= ost/rootfs/image/etc/s6-linux-init/env/WAYLAND_DISPLAY >> index bbd390c4..111060fc 100644 >> --- a/host/rootfs/image/etc/s6-linux-init/env/WAYLAND_DISPLAY >> +++ b/host/rootfs/image/etc/s6-linux-init/env/WAYLAND_DISPLAY >> @@ -1 +1 @@ >> -/run/wayland >> +/run/wayland/wayland >> diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/etc/group b/h= ost/rootfs/image/etc/s6-linux-init/run-image/etc/group >> index fe72eb76..019f5525 100644 >> --- a/host/rootfs/image/etc/s6-linux-init/run-image/etc/group >> +++ b/host/rootfs/image/etc/s6-linux-init/run-image/etc/group >> @@ -2,9 +2,9 @@ root:x:0:root >> clock:x:1: >> dialout:x:2: >> kmem:x:3: >> -input:x:4: >> +input:x:4:wayland >> tty:x:5: >> -video:x:6: >> +video:x:6:wayland >> render:x:7: >> sgx:x:8: >> audio:x:9: >> @@ -13,4 +13,4 @@ disk:x:11: >> cdrom:x:12: >> tape:x:13: >> kvm:x:14: >> -wayland:x:15: >> +wayland:x:15:wayland >> diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd b/= host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd >> index 29f3b252..50def56d 100644 >> --- a/host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd >> +++ b/host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd >> @@ -1 +1,2 @@ >> root:x:0:0:System administrator:/:/bin/sh >> +wayland:x:15:15:Wayland compositor:/:/bin/nologin >> diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/root-= terminal/run b/host/rootfs/image/etc/s6-linux-init/run-image/service/root-t= erminal/run >> index 67ccfb45..86b9a1ef 100755 >> --- a/host/rootfs/image/etc/s6-linux-init/run-image/service/root-termina= l/run >> +++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/root-termina= l/run >> @@ -4,6 +4,8 @@ >>=20=20 >> s6-ipcserver-socketbinder -a 0700 /run/root-terminal >>=20=20 >> +if { chown wayland /run/root-terminal } >> + >> fdmove 1 3 >> s6-ipcserverd -1P >>=20=20 >> diff --git a/host/rootfs/image/etc/s6-rc/weston/run b/host/rootfs/image/= etc/s6-rc/weston/run >> index 2674ec0b..7d10b5b4 100644 >> --- a/host/rootfs/image/etc/s6-rc/weston/run >> +++ b/host/rootfs/image/etc/s6-rc/weston/run >> @@ -34,10 +34,13 @@ backtick HOME { >> homeof $user >> } >>=20=20 >> +if { install -do wayland -g wayland -m 0770 /run/wayland } >> +if { chown wayland /dev/tty0 /dev/tty1 } > > Why chown and not setfacl? Why setfacl and not chown? --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQQGoGac7QfI+H5ZtFCZddwkt31pFQUCaTh9oQAKCRCZddwkt31p FUm7AP0RgMAiwXRyLJJioxMrjRyZVFELqX+DN9xHitWv//FljwEAxmjT/DbAvXU6 yaOMzZgzohMIIpMH23m2VKeWgHy5MwA= =/CAw -----END PGP SIGNATURE----- --=-=-=--