In case anybody interested, I faced some troubles running pygame application as a systemd service under limited user. Application runs fine for 5-10 minutes, but after that the screen becomes black and pygame graphics is not displayed. Running as root didn’t fix the problem. The SDL version used is version that I compiled myself with disabled keyboard support.
My guess is that this is because this call was eliminated after disabling keyboard support in SDL: ioctl(keyboard_fd, VT_LOCKSWITCH, 1); /* Prevent switching the virtual terminal */ Maybe some application decides to switch virtual terminal and another terminal becomes active and gets control over framebuffer. Though I should note that after my screen becomes black pygame continues to execute commands I give to it without any errors. Also I believe that the problem with text cursor blinking was due to this call commented out after disabling keyboard support in SDL: ioctl(keyboard_fd, KDSETMODE, KD_GRAPHICS) As far as I know, one needs root rights to successfully execute these ioctl requests. Taking into account all these facts I came to conclusion that trying to run pygame framebuffer graphics as a limited user was a bad idea. I rebuilt SDL with my changes reverted and run my test pygame application under systemd with root rights. The “black screen after 5-10 minutes” and “blinking text cursor” problems were solved. As to security considerations, I think that code which needs root rights could be isolated in a separate executable file which has root as it’s owner and has setuid bit enabled. After that main process running under limited user could run this helper executable to get the work done. Kind regards, Roman Mescheryakov
