On 12/8/25 16:16, Alyssa Ross wrote: > Xwayland only accepts connections from the user it's running as. It > is started by wayland-proxy-virtwl, which does not allow passing extra > options, so we can't change its authentication method. > > Therefore, the only way for X11 to work with the current software is > to run wayland-proxy-virtwl as the same user as the application. > > I expect that in the near future, we will use xwayland-satellite > instead of the built-in Xwayland translation in wayland-proxy-virtwl. > When that happens, we can run the stub compositor as its own user > again. > > Fixes: cb27e3a ("img/app: wayland-proxy-virtwl: run as non-root") > Signed-off-by: Alyssa Ross > --- > img/app/image/etc/group | 1 - > img/app/image/etc/mdev.conf | 2 +- > img/app/image/etc/passwd | 1 - > img/app/image/etc/s6-rc/wayland-proxy-virtwl/run | 2 +- > 4 files changed, 2 insertions(+), 4 deletions(-) > > diff --git a/img/app/image/etc/group b/img/app/image/etc/group > index b2c3a2e..e84da60 100644 > --- a/img/app/image/etc/group > +++ b/img/app/image/etc/group > @@ -1,4 +1,3 @@ > -wayland:x:1:wayland > wireplumber:x:2:wireplumber > pipewire:x:3:pipewire > user:x:1000:user > diff --git a/img/app/image/etc/mdev.conf b/img/app/image/etc/mdev.conf > index d4cd825..33a07d6 100644 > --- a/img/app/image/etc/mdev.conf > +++ b/img/app/image/etc/mdev.conf > @@ -4,7 +4,7 @@ > -$MODALIAS=.* 0:0 0 ! +importas -Siu MODALIAS modprobe -q $MODALIAS > $INTERFACE=.* 0:0 0 ! +/etc/mdev/iface > $MODALIAS=virtio:d0000001Av.* 0:0 0 ! +/etc/mdev/virtiofs > -dri/card0 wayland:wayland 660 +background { /etc/mdev/listen card0 } > +dri/card0 user:user 660 +background { /etc/mdev/listen card0 } > > -SUBSYSTEM=sound;.* pipewire:pipewire 660 > snd/controlC0 pipewire:pipewire 660 +background { /etc/mdev/listen controlC0 } > diff --git a/img/app/image/etc/passwd b/img/app/image/etc/passwd > index 08324b0..425908e 100644 > --- a/img/app/image/etc/passwd > +++ b/img/app/image/etc/passwd > @@ -1,5 +1,4 @@ > root:x:0:0:System administrator:/run/root:/bin/sh > -wayland:x:1:1:wayland-proxy-virtwl service user:/:/usr/bin/nologin > wireplumber:x:2:2:WirePlumber service user:/:/usr/bin/nologin > pipewire:x:3:3:PipeWire service user:/:/usr/bin/nologin > user:x:1000:1000:Spectrum application user:/home/user:/bin/sh > diff --git a/img/app/image/etc/s6-rc/wayland-proxy-virtwl/run b/img/app/image/etc/s6-rc/wayland-proxy-virtwl/run > index 86d7f63..5d06b7a 100755 > --- a/img/app/image/etc/s6-rc/wayland-proxy-virtwl/run > +++ b/img/app/image/etc/s6-rc/wayland-proxy-virtwl/run > @@ -26,6 +26,6 @@ export LISTEN_FDS 2 > export LISTEN_FDNAMES wayland:x11 > getpid LISTEN_PID > > -s6-setuidgid wayland > +s6-setuidgid user > > wayland-proxy-virtwl --virtio-gpu --x-display=0 > > base-commit: 5104fa720ce8b00612c5487fc47124fbf99e58c6 Might as well also make /tmp/.X11-unix and friends only accessible by "user". -- Sincerely, Demi Marie Obenour (she/her/hers)