[arch-general] systemd and local group membership

Sun Oct 28 22:27:34 EDT 2012

On 29/10/12 01:17, Zeke Sulastin wrote:
> On Sun, Oct 28, 2012 at 4:26 AM, Dave Morgan
> <davemorgan353 at btinternet.com> wrote:
>> What are the the technical reasons for group membership breaking
>> functionality when using systemd?
>
> With a typical desktop use case, systemd-logind's session management
> handles the ability to do things like use audio/video via ACLs:
>
> $ ls -l pcmC0D0c
> crw-rw----+ 1 root audio 116, 5 Oct 21 13:55 pcmC0D0c
>
> $ getfacl pcmC0D0c
> # file: pcmC0D0c
> # owner: root
> # group: audio
> user::rw-
> user:zekesulastin:rw-
> group::rw-
> mask::rw-
> other::---
>
> ==But, if I login to a different user on another tty ...==
>
> $ getfacl pcmC0D0c
> # file: pcmC0D0c
> # owner: root
> # group: audio
> user::rw-
> user:cap:rw-
> group::rw-
> mask::rw-
> other::---
>
> ==But when I switch back to x on vt1, the acl is set back to
> zekesulastin even though cap is still logged in==
>
> Adding a user to a group can cause this process to be subverted -
> logind can't manage who is in what group.  (On audio again, in
> addition to the multiuser case this can also make it easier for a bad
> program to get around dmix/pulse if you use either.)
>
> There ARE still cases where you would want to put the user in a group
> (remote logins, jackd iirc, stuff not handled by ACLs if you have such
> a device), but for the typical desktop use case it is unnecessary.
>
> This is also why you have to start X on the same tty you logged in to
> if you're not using a DM - ck-launch-session was a workaround to that
> problem, but this workaround no longer exists.
>
So does this mean that extending the use of pre-defined groups is 
deprecated at best, and horribly wrong at worst?

I've got all my music mounted via binds to /mnt/music so mpd can access 
it without needing to be able to walk the entire filesystem, and I've 
then added mpd to the audio group so it can access those files. It then 
outputs to a Pulseaudio via the network hack on the wiki[1].

I haven't had any issues, but this is essentially a single-user machine 
so I don't need the fast user switching abilities. Though there's no 
reason why I couldn't create a 'music' group, and change the permissions 
accordingly, if that is the more "correct" way to do things.

I'm also using groups to allow very restricted non-root system 
administration; for example, TeXLive is installed in /opt/texlive with 
root:texlive and 775 permissions.

[1] 
https://wiki.archlinux.org/index.php/Music_Player_Daemon/Tips_and_Tricks#Local_.28with_separate_mpd_user.29