GNU bug report logs - #25325
elogind does not set ACLs promptly

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.

Package: guix; Reported by: Chris Marusich <cmmarusich@HIDDEN>; dated Sun, 1 Jan 2017 23:00:02 UTC; Maintainer for guix is bug-guix@HIDDEN.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 1 Jan 2017 22:59:08 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Jan 01 17:59:08 2017
Received: from localhost ([127.0.0.1]:38879 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1cNp5n-00057C-Qa
	for submit <at> debbugs.gnu.org; Sun, 01 Jan 2017 17:59:08 -0500
Received: from eggs.gnu.org ([208.118.235.92]:52914)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <cmmarusich@HIDDEN>) id 1cNp5l-00056g-Ph
 for submit <at> debbugs.gnu.org; Sun, 01 Jan 2017 17:59:06 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <cmmarusich@HIDDEN>) id 1cNp5f-0001i9-B4
 for submit <at> debbugs.gnu.org; Sun, 01 Jan 2017 17:59:00 -0500
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,FREEMAIL_FROM,
 T_DKIM_INVALID autolearn=disabled version=3.3.2
Received: from lists.gnu.org ([2001:4830:134:3::11]:51371)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <cmmarusich@HIDDEN>)
 id 1cNp5f-0001i3-70
 for submit <at> debbugs.gnu.org; Sun, 01 Jan 2017 17:58:59 -0500
Received: from eggs.gnu.org ([2001:4830:134:3::10]:43884)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <cmmarusich@HIDDEN>) id 1cNp5d-0006lm-Np
 for bug-guix@HIDDEN; Sun, 01 Jan 2017 17:58:58 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <cmmarusich@HIDDEN>) id 1cNp5c-0001hc-F2
 for bug-guix@HIDDEN; Sun, 01 Jan 2017 17:58:57 -0500
Received: from mail-pg0-x233.google.com ([2607:f8b0:400e:c05::233]:36063)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
 (Exim 4.71) (envelope-from <cmmarusich@HIDDEN>)
 id 1cNp5c-0001gF-6S
 for bug-guix@HIDDEN; Sun, 01 Jan 2017 17:58:56 -0500
Received: by mail-pg0-x233.google.com with SMTP id f188so197761191pgc.3
 for <bug-guix@HIDDEN>; Sun, 01 Jan 2017 14:58:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:subject:date:message-id:user-agent:mime-version;
 bh=17LrqkhQiuwW2mEAFEaWSRYmCVW9LlRc9SSeKFl8NhU=;
 b=fq8sNYnfpPXvPZ2lzV03AyFiS0rXy0uShtoJiCMUh6gHUDkRQbqvNe14EdMlvfkRwP
 uc0aU8qv7QLbMmIMsq0X7Ky5/bMq4U7J9jCZnUWUT4zht/IvZUVzV5PpiVOO/g89nO8x
 nFtrl8IuisIJfr/ECt+wHkjsngKayqeRlEBD0y+t96Bk/I13L1ykNG0TcGqdyadXBwGi
 xX6vsCl8eX0ZU3VFbqzP/A0N++ZwbL6xj2xwx0mEfh2ifMrJpenfgHNYOL/5yHYQ8azl
 hSqvjTCVn/Aqxzb52LlikqPicEnfIzBAvA/iuDirBih3pf4IfPKwWtJDaj1feiheKUv9
 yRnQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:subject:date:message-id:user-agent
 :mime-version;
 bh=17LrqkhQiuwW2mEAFEaWSRYmCVW9LlRc9SSeKFl8NhU=;
 b=Laf4ztf0gpq/Aj9/8wPxwa5f9DhVyfADviYsIkxaTciZ4Opoh9XrTfE5v5GvOP+jzd
 sKjjJ9OzdnWkdJ1qXOX9v/XOIXyVUmB/7hh7dVOzokUeEkYsdWn0aXiBbSMF8xdS35OB
 VG9try6NZbAtl0gLEV0hC3xc0OH42XUBkQ5M8ExmmiKsXd7DbzyEvvK0RJz30fdq1FE7
 uGayoT4m7SN0uX/ILWQpVmn/R+MCJxl4xpFEQ9CmnpNFIplns9EeJyqWsQMhUC1+JWcv
 KTlRqGx+NdoQqsD8dH/zdBPlsW3shxHSzeuLDMosUgqbAcDWvBwgqbd5temcPHiJf+LG
 ZDvA==
X-Gm-Message-State: AIkVDXLHeOwSdO059EXJEpF4Jf1E6a0YwQHY6dDVfk3qz9vS5VJnqy+7u7mey/zHjbFYkg==
X-Received: by 10.84.210.38 with SMTP id z35mr104904113plh.111.1483311534909; 
 Sun, 01 Jan 2017 14:58:54 -0800 (PST)
Received: from garuda ([2601:602:9d02:4725:4e0f:6eff:fef6:70b9])
 by smtp.gmail.com with ESMTPSA id k5sm62223425pfb.81.2017.01.01.14.58.54
 for <bug-guix@HIDDEN>
 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
 Sun, 01 Jan 2017 14:58:54 -0800 (PST)
From: Chris Marusich <cmmarusich@HIDDEN>
To: bug-guix@HIDDEN
Subject: elogind does not set ACLs promptly
Date: Sun, 01 Jan 2017 14:58:50 -0800
Message-ID: <87k2aewfo5.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="===-=-=";
 micalg=pgp-sha256; protocol="application/pgp-signature"
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Received-From: 2001:4830:134:3::11
X-Spam-Score: -4.0 (----)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -4.0 (----)

--===-=-=
Content-Type: multipart/mixed; boundary="==-=-="

--==-=-=
Content-Type: text/plain

Please find attached a description of the bug, which came from the
following email thread:

https://lists.gnu.org/archive/html/guix-devel/2016-12/msg01126.html


--==-=-=
Content-Type: message/rfc822
Content-Disposition: inline
Content-Transfer-Encoding: 8bit

Return-Path: <cmmarusich@HIDDEN>
Received: from garuda ([2601:602:9d02:4725:4e0f:6eff:fef6:70b9])
        by smtp.gmail.com with ESMTPSA id y29sm107511230pfd.63.2016.12.29.16.41.14
        (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
        Thu, 29 Dec 2016 16:41:14 -0800 (PST)
From: Chris Marusich <cmmarusich@HIDDEN>
To: ludo@HIDDEN (Ludovic =?utf-8?Q?Court=C3=A8s?=)
Cc: guix-devel@HIDDEN
Subject: Re: Let non-root users use MTP devices (Attempt #2)
References: <87mvfggv4k.fsf@HIDDEN>
	<20161229090121.3718-1-cmmarusich@HIDDEN> <871swrf3cm.fsf@HIDDEN>
	<871swqe4k6.fsf@HIDDEN>
Date: Thu, 29 Dec 2016 16:41:10 -0800
In-Reply-To: <871swqe4k6.fsf@HIDDEN> ("Ludovic \=\?utf-8\?Q\?Court\=C3\=A8s\=22'\?\=
 \=\?utf-8\?Q\?s\?\= message of "Thu, 29
	Dec 2016 23:48:00 +0100")
Message-ID: <87ful6xn89.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
	micalg=pgp-sha256; protocol="application/pgp-signature"

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

ludo@HIDDEN (Ludovic Court=C3=A8s) writes:

> Chris Marusich <cmmarusich@HIDDEN> skribis:
>
>> Chris Marusich <cmmarusich@HIDDEN> writes:
>>
>>> Here's a second attempt to fix MTP support for GuixSD.  It's simple and
>>> requires no special group permissions.
>>>
>>> It turns out that elogind (like systemd's logind) can be compiled with
>>> support for ACLs (provided by libacl), in which case elogind will
>>> automatically set an ACL on a device file granting access to a user when
>>> that user is logged in using a seat to which the device is attached.  In
>>> short, by adding acl as an input to elogind, users will be able to
>>> access devices without running programs as root, and without being a
>>> member of any special group.
>>>
>>> That's just one piece of the puzzle, though.  The other piece is the
>>> udev rules provided by libmtp.  It's necessary to install those udev
>>> rules; if we don't, then the MTP device won't be tagged properly, so
>>> elogind will not set any ACLs for it.  I've chosen to install those
>>> rules by modifying the base services in desktop.scm so that all desktops
>>> will get the rules, not just GNOME; if you know of a better way to
>>> install them, please let me know.
>>>
>>> This patch has a happy side effect.  Namely: because elogind is now
>>> setting ACLs, it gives a user access to other devices that are attached
>>> to their seat.  For instance, after this change, I can access /dev/kvm
>>> and /dev/cdrom (and other devices) without being root, and without being
>>> in any special group.  How nice!
>>
>> After sending this, I've noticed something odd: sometimes, it can take
>> quite a while for elogind to set the ACLs.  It's a bit of a mystery to
>> me.  I'm not sure how/when elogind decides to update the ACLs; I assumed
>> it was continuously checking for changes in the hardware or receiving
>> notifications about hardware changes, but it seems like elogind isn't
>> noticing when I plug in my phone.  Even though the device file shows up,
>> elogind doesn't set the ACLs unless I do something.
>>
>> By "do something," I mean: Apparently, logging out and logging back in
>> seems to trigger elogind to set the ACLs.  Even just switching virtual
>> terminals (i.e., Control + F1, followed by Control + F7) seems to
>> trigger it, which is weird.  Even when elogind has not yet set the ACLs,
>> the "uaccess" tag has in fact been correctly set for the device (as
>> reported by e.g. "udevadm info /dev/libmtp-1-1"), which leads me to
>> suspect that elogind is either failing to notice or just ignoring the
>> hardware change.  I wonder if this might be a bug of some kind.
>>
>> What do you think we should do?
>
> Good question!  I don=E2=80=99t know.  Does this happen only for MTP devi=
ces or
> also with other things (KVM?)?

Yes, this happens for other devices, too.  For example, I observe
exactly the same behavior for /dev/sr0 when I plug in an external CD-ROM
drive (via USB cable) after logging in.  The ACL doesn't get set until
after I do something like switch to another virtual terminal and back.

> Does =E2=80=9Cudevadm settle=E2=80=9D trigger the ACL change?

No, neither "udevadm settle" nor "sudo udevadm settle" triggers the ACL
change.  I suspect that maybe elogind is ignoring or failing to notice
the new device, or perhaps the mechanism that elogind relies on to learn
about new devices is not working for some reason.

It looks like elogind sets the ACLs via devnode_acl_all, defined in
src/login/logind-acl.c.  Ultimately it seems this gets called while in
seat_set_active (specifically, invoked at src/login/logind-seat.c:213),
under certain conditions.  That's as far as I got.

I cannot reproduce this issue on Ubuntu; there, the ACL gets set
promptly.

=2D-=20
Chris

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEy/WXVcvn5+/vGD+x3UCaFdgiRp0FAlhlrScACgkQ3UCaFdgi
Rp2VJBAAuIPsrckce8S75IeyJWWvcKE0e/sKjb7fpkmMvQyAiJ4XKWwyGK0xuNHn
gx+FPH/bIeybaOemJklH4F+TP1O8muCkzhLLPvoP3lrpj7gMuThruzXKVsTYIHYb
2Cm9fE9U4stFNCVlUrrRuFqS9grtrd05Z/2Hwr2DYFNiq45y3Dpdr1mus9NEv3iZ
PAMiZB9tE8NSMoGKevo90XLQUDTBaHGuk9UOphWZ7QijCB/dTfNm7IXVbzpffa4u
8XOtsNk3ISimFMx+6P3f/moj27jtmMJnl65ayVgQV7iIKpnlyW7hMJ4gGusRJrV3
xQMxwvlrodYzmd0h9i0j7mhk6YutB9ZIWBkXPvYmIWzIHKh9WFDK+vPiZBctcxP1
5ss5n5DxEKPh6Rv6nQsOcOYUG1EboWhyKWX18iV15cP7+akPdUGifDGYnTStO5R1
Aap3X4yRPF/T9x6JcAtDWwEaRK/ry188tYNPZFyjnKIZxGlxTNqzMiFZvVRTUn3x
ZRQXi+MtElqcnSEkpxlJtxfKc+IsQxtsAkh6+NjlSBv7WXhh8ExvEXjCi5x59FqC
DRZkK059zoXIGPtxwPlufghRgHaAJmB2SAdPW36YUjO48roi9eE8mLH2JTBb/00z
r9YP4/nzasq99l5znSkjFBzhLMd6bZUeM134Y2yZlls/qFuGbWQ=
=WczD
-----END PGP SIGNATURE-----
--=-=-=--

--==-=-=
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable


=2D-=20
Chris

--==-=-=--

--===-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEy/WXVcvn5+/vGD+x3UCaFdgiRp0FAlhpiasACgkQ3UCaFdgi
Rp1t3BAAlzE6UQy+89IuSrMaNR2a6NI8ZjcnzeIqNPMaG1i61jw0IllAUlJOYoJq
4jcdmQ3z5fj/IPB2vWmkrIXlkV3L7Oa1nJKv44agZmsC/rDINlixA33xE6nlvVwe
yZ6fBUTyokebS376DgpwRGs0NZziACVULI7l7fhpsG47nodkWlAzX9FLqF4i/wNY
5HCY0z32BTKzD8w8ZRs06iK4vcuij/oN5B36jwjsHp49WbgQ+Mb0ZpdJZpXkAwpT
8FKqwQ/zOYal8HNE3k56J3Kd/9ooekPElKsqDMxf7Zudv0mTBZr2BgvbgaVrrncR
4TFBlNHLQs6K3lWT5BWtBx3JGdZdzEBRQlo6zxnjdneCrOLc5tF8wcyIks0ZDJ+s
ZBDHiDsEbDf3nYnbjbdh3jwWezDQ1XgU5YfleHoUaDBhicpjpUDF5Nde0Bf38Qq9
ag88bxt0TYc/5rgQJuihuAxcsimgVmGB1dNIcqfPh6ffs66Mf0jZvWCGQUVnbP7Q
amW2xKSCyx3dzebFyeVCasUEqHdp8e0X+cgPOftoPd7G+s8E4ndHnfNrt2ZwsLbb
eknDw9++L/C/n6ukYvcfe9sJu1fSCP7PxvHhGFXkcKKP3foGA6MXkHcPGvBKNWMj
xFXU+ax6Yr8X7hb+kNwPtLh6NrQBSL32tFS3hzadYefaerqEU0c=
=sucj
-----END PGP SIGNATURE-----
--===-=-=--




Acknowledgement sent to Chris Marusich <cmmarusich@HIDDEN>:
New bug report received and forwarded. Copy sent to bug-guix@HIDDEN. Full text available.
Report forwarded to bug-guix@HIDDEN:
bug#25325; Package guix. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Mon, 25 Nov 2019 12:00:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.