Demi Marie Obenour writes: > On 12/9/25 05:59, Alyssa Ross wrote: >> On Tue, Dec 09, 2025 at 05:55:22AM -0500, Demi Marie Obenour wrote: >>> On 12/9/25 03:56, Alyssa Ross wrote: >>>> This will allow clients running as unprivileged users to connect to >>>> the compositor. >>>> >>>> Signed-off-by: Alyssa Ross >>>> --- >>>> host/rootfs/image/etc/s6-linux-init/run-image/etc/group | 1 + >>>> host/rootfs/image/etc/s6-rc/weston/run | 5 +++++ >>>> 2 files changed, 6 insertions(+) >>>> >>>> diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/etc/group b/host/rootfs/image/etc/s6-linux-init/run-image/etc/group >>>> index e3ade46..fe72eb7 100644 >>>> --- a/host/rootfs/image/etc/s6-linux-init/run-image/etc/group >>>> +++ b/host/rootfs/image/etc/s6-linux-init/run-image/etc/group >>>> @@ -13,3 +13,4 @@ disk:x:11: >>>> cdrom:x:12: >>>> tape:x:13: >>>> kvm:x:14: >>>> +wayland:x:15: >>>> diff --git a/host/rootfs/image/etc/s6-rc/weston/run b/host/rootfs/image/etc/s6-rc/weston/run >>>> index aa1e7b6..7cb182f 100644 >>>> --- a/host/rootfs/image/etc/s6-rc/weston/run >>>> +++ b/host/rootfs/image/etc/s6-rc/weston/run >>>> @@ -20,4 +20,9 @@ importas -i home HOME >>>> cd $home >>>> if { udevadm wait /dev/dri/card0 } >>>> unshare --cgroup --ipc --net --uts >>>> + >>>> +s6-envuidgid root >>>> +s6-envuidgid -g wayland >>>> +s6-applyuidgid -Uz >>>> +umask 002 >>>> weston -S $WAYLAND_DISPLAY >>> >>> Can the socket be chmod'd after Weston starts? Running with 002 >>> umask is not great. >> >> If we use sd-notify-adapter, then I think so, but it wouldn't be very >> nice. > > Using sd-notify-adapter is probably a good idea anyway, so that nothing > tries to connect to the socket before it is there to connect to. Oh, right, we actually already have readiness notification via /etc/xdg/weston/autolaunch. It won't run as root soon, but we could wait for that in the run script and do the chmod there. >> What's the problem with umask 002? > > It means that any files created by the service are group-writable and > world-readable, which is almost never what one wants. It means that > the service can't even trust a file it itself created.