On 29/10/12 01:17, Zeke Sulastin wrote:
On Sun, Oct 28, 2012 at 4:26 AM, Dave Morgan <davemorgan353@btinternet.com> wrote:
What are the the technical reasons for group membership breaking functionality when using systemd?
With a typical desktop use case, systemd-logind's session management handles the ability to do things like use audio/video via ACLs:
$ ls -l pcmC0D0c crw-rw----+ 1 root audio 116, 5 Oct 21 13:55 pcmC0D0c
$ getfacl pcmC0D0c # file: pcmC0D0c # owner: root # group: audio user::rw- user:zekesulastin:rw- group::rw- mask::rw- other::---
==But, if I login to a different user on another tty ...==
$ getfacl pcmC0D0c # file: pcmC0D0c # owner: root # group: audio user::rw- user:cap:rw- group::rw- mask::rw- other::---
==But when I switch back to x on vt1, the acl is set back to zekesulastin even though cap is still logged in==
Adding a user to a group can cause this process to be subverted - logind can't manage who is in what group. (On audio again, in addition to the multiuser case this can also make it easier for a bad program to get around dmix/pulse if you use either.)
There ARE still cases where you would want to put the user in a group (remote logins, jackd iirc, stuff not handled by ACLs if you have such a device), but for the typical desktop use case it is unnecessary.
This is also why you have to start X on the same tty you logged in to if you're not using a DM - ck-launch-session was a workaround to that problem, but this workaround no longer exists.
So does this mean that extending the use of pre-defined groups is deprecated at best, and horribly wrong at worst? I've got all my music mounted via binds to /mnt/music so mpd can access it without needing to be able to walk the entire filesystem, and I've then added mpd to the audio group so it can access those files. It then outputs to a Pulseaudio via the network hack on the wiki[1]. I haven't had any issues, but this is essentially a single-user machine so I don't need the fast user switching abilities. Though there's no reason why I couldn't create a 'music' group, and change the permissions accordingly, if that is the more "correct" way to do things. I'm also using groups to allow very restricted non-root system administration; for example, TeXLive is installed in /opt/texlive with root:texlive and 775 permissions. [1] https://wiki.archlinux.org/index.php/Music_Player_Daemon/Tips_and_Tricks#Loc...