Re: Re: the audio group
which is fine. But what if people decide to later not use logind/systemd? In what does it hurt that the first created user is *also* added to the audio group? When a user is added to the audio group. He will always see all sound devices, even when logind tries to hide the device from the user. e.g. in a multi seat setting, an user on seat0 can control the sound devices from another user on seat1. Especially now that we go to systemd as the default init system, I think it is wise to respect the systemd ACL settings. So we don't get unexpected behaviors. Thanks, floris -- To UNSUBSCRIBE, email to debian-boot-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/op.xksh7ona5k9...@jessica.jkfloris.demon.nl
Re: Re: the audio group
On Mon, Aug 18, 2014 at 03:24:50PM +0200, Floris wrote: which is fine. But what if people decide to later not use logind/systemd? In what does it hurt that the first created user is *also* added to the audio group? When a user is added to the audio group. He will always see all sound devices, even when logind tries to hide the device from the user. e.g. in a multi seat setting, an user on seat0 can control the sound devices from another user on seat1. And if we ignore the multi-seat stuff (which is going to be used by a *tiny* minority of users) there is no down-side. Especially now that we go to systemd as the default init system, I think it is wise to respect the systemd ACL settings. So we don't get unexpected behaviors. There are still likely going to be vastly more non-systemd users than multi-seat users. -- Steve McIntyre, Cambridge, UK.st...@einval.com Welcome my son, welcome to the machine. -- To UNSUBSCRIBE, email to debian-boot-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140818135234.ga14...@einval.com
Re: Re: the audio group
On Mon, Aug 18, 2014 at 02:52:34PM +0100, Steve McIntyre wrote: And if we ignore the multi-seat stuff (which is going to be used by a *tiny* minority of users) there is no down-side. There are still likely going to be vastly more non-systemd users than multi-seat users. That sure sounds likely. Perhaps there can be a README.multiseat in the systemd package that explains what changes to make for such a setup. Just because systemd is default doesn't mean everything else should stop working. -- Len Sorensen -- To UNSUBSCRIBE, email to debian-boot-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140818142216.gh17...@csclub.uwaterloo.ca
Re: Re: the audio group
On Mon, Aug 18, 2014 at 10:22:16AM -0400, Lennart Sorensen wrote: That sure sounds likely. Perhaps there can be a README.multiseat in the systemd package that explains what changes to make for such a setup. Just because systemd is default doesn't mean everything else should stop working. Besides all existing installs that upgrade would need to make the same changes should they choose to move to a systemd multiseat setup. -- Len Sorensen -- To UNSUBSCRIBE, email to debian-boot-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140818142335.gi17...@csclub.uwaterloo.ca
Re: Re: the audio group
Op Mon, 18 Aug 2014 15:52:34 +0200 schreef Steve McIntyre st...@einval.com: On Mon, Aug 18, 2014 at 03:24:50PM +0200, Floris wrote: which is fine. But what if people decide to later not use logind/systemd? In what does it hurt that the first created user is *also* added to the audio group? When a user is added to the audio group. He will always see all sound devices, even when logind tries to hide the device from the user. e.g. in a multi seat setting, an user on seat0 can control the sound devices from another user on seat1. And if we ignore the multi-seat stuff (which is going to be used by a *tiny* minority of users) there is no down-side. Especially now that we go to systemd as the default init system, I think it is wise to respect the systemd ACL settings. So we don't get unexpected behaviors. There are still likely going to be vastly more non-systemd users than multi-seat users. how about users who will login remotely? They also have full access to all the audio devices, even when they don't able to hear the music, because the speaker is on the other side of the world. But the main issue is, having two systems (groups and ACL) that control access rights for the same device give inconsistent behavior. A user can be in the audio group for sound, he doesn't have to be a member of lpadmin to use his printer. The cdrom group is only for non-out-of-the-box cd/ dvd devices etc. In the near future (systemd 215) [1] the need to be part of a group for a normal user will even be less important. So maybe we leave the situation for now and rethink about it in some time. thanks, floris [1] http://0pointer.de/blog/projects/stateless.html -- To UNSUBSCRIBE, email to debian-boot-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/op.xksnj5mp5k9...@jessica.jkfloris.demon.nl
Re: Re: the audio group
On Mon, Aug 18, 2014 at 05:20:19PM +0200, Floris wrote: how about users who will login remotely? They also have full access to all the audio devices, even when they don't able to hear the music, because the speaker is on the other side of the world. Remote login might be from a computer that's just on the other side of the room. -- hendrik -- To UNSUBSCRIBE, email to debian-boot-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140818162955.ga32...@topoi.pooq.com
Re: Re: the audio group
Quoting Steve McIntyre (st...@einval.com): On Mon, Aug 18, 2014 at 03:24:50PM +0200, Floris wrote: which is fine. But what if people decide to later not use logind/systemd? In what does it hurt that the first created user is *also* added to the audio group? When a user is added to the audio group. He will always see all sound devices, even when logind tries to hide the device from the user. e.g. in a multi seat setting, an user on seat0 can control the sound devices from another user on seat1. And if we ignore the multi-seat stuff (which is going to be used by a *tiny* minority of users) there is no down-side. I'd anyway recommend to NOT create a user during Debian installation in such multi-seat setupswhich actually also solves the problem. user-setup has a preseedable variable for this: Template: passwd/make-user Type: boolean Default: true # :sl2: _Description: Create a normal user account now? Just pressed passwd/make-user to False and you're done. I'd anyway expect multi-seat setups to use an external account database. signature.asc Description: Digital signature
Re: Re: the audio group
user-setup-apply is run in finish-install, so it can check if systemd is installed or not. The only downsides I see: * Still need to add the groups in non-systemd installations, eg freebsd, so this will be an point of difference that will need testing. * If a user chooses to remove systemd after the install, they would need to manually add the groups. -- see shy jo signature.asc Description: Digital signature
Re: Re: the audio group
Quoting Joey Hess (jo...@debian.org): user-setup-apply is run in finish-install, so it can check if systemd is installed or not. Interesting suggestion, yes. The only downsides I see: * Still need to add the groups in non-systemd installations, eg freebsd, so this will be an point of difference that will need testing. * If a user chooses to remove systemd after the install, they would need to manually add the groups. Not the groups, but the first created user to the groups, which seems reasonable to me. signature.asc Description: Digital signature
Re: Re: the audio group
Adding the first user to group audio shouldn't break any ACL management that is done by systemd-logind. It just means, the first user *always* has access to the audio device, no matter if his session is marked active for he is logged in locally. So he get's access even when e.g. logged in remotely via SSH. I'll leave that up to others to decide if that is a security issue or not. For a single user system, it probably doesn't matter. As was pointed out in another thread [1], the first user is also added to a couple of other groups. At least for the major desktop environments like GNOME or KDE, that is no longer strictly necessary. Since they use polkit nowadays: udisks(2) (removable media): obsoletes plugdev, cdrom, floppy NetworkManager (network): obsoletes netdev For video and audio, we have systemd-logind device ACLs. I dunno, if the less popular desktops still require/use those groups. [1] https://lists.debian.org/debian-boot/2014/08/msg00383.html -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Re: the audio group
On Fri, Aug 15, 2014 at 11:54:17PM +0200, Floris wrote: Can you explain what would break? Pulseaudio doesn't need/ works without the audio group. The pulseaudio mailing list [1] explains: I tend to have to kill pulseaudio to get sound working. If my user isn't in the audio group, how do my programs access the audio device? -- Len Sorensen -- To UNSUBSCRIBE, email to debian-boot-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140817150702.gg17...@csclub.uwaterloo.ca
Re: the audio group
Op Sun, 17 Aug 2014 17:07:02 +0200 schreef Lennart Sorensen lsore...@csclub.uwaterloo.ca: On Fri, Aug 15, 2014 at 11:54:17PM +0200, Floris wrote: Can you explain what would break? Pulseaudio doesn't need/ works without the audio group. The pulseaudio mailing list [1] explains: I tend to have to kill pulseaudio to get sound working. If my user isn't in the audio group, how do my programs access the audio device? The right permissions are set by logind through modifying the ACL. $ getfacl /dev/snd/controlC3 # file: dev/snd/controlC3 # owner: root # group: audio user::rw- user:floris:rw- # This line makes sure I can access the device. group::rw- mask::rw- other::--- So the user is able to control the device. floris -- To UNSUBSCRIBE, email to debian-boot-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/op.xkq08g0m5k9...@jessica.jkfloris.demon.nl
Re: Re: the audio group
Adding the first user to group audio shouldn't break any ACL management that is done by systemd-logind. logind hide/ show the audio device from the user trough the ACL. The audio group will always show all audio devices. I think these two settings are conflicting. floris -- To UNSUBSCRIBE, email to debian-boot-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/op.xkq3i9fu5k9...@jessica.jkfloris.demon.nl
Re: the audio group
Quoting Floris (jkflo...@dds.nl): The right permissions are set by logind through modifying the ACL. $ getfacl /dev/snd/controlC3 # file: dev/snd/controlC3 # owner: root # group: audio user::rw- user:floris:rw- # This line makes sure I can access the device. group::rw- mask::rw- other::--- So the user is able to control the device. which is fine. But what if people decide to later not use logind/systemd? In what does it hurt that the first created user is *also* added to the audio group? signature.asc Description: Digital signature
Re: the audio group
(no Cc: to answers, please) Quoting Floris (jkflo...@dds.nl): Dear Debian installation system Maintainers, I was wondering if a user is still automatically added to the audio group? Because it will break a systemd-pulseaudio-multiseat setup. From user-setup code (in user-setup-apply): if [ -n $USER ]; then db_get passwd/user-default-groups for group in $RET; do $log $chroot $ROOT adduser $USER $group /dev/null 21 || true done fi From debconf templates: # Allow preseeding the groups to which the first created user is added Template: passwd/user-default-groups Type: string Default: audio cdrom dip floppy video plugdev netdev powerdev scanner bluetooth debian-tor lpadmin Description: for internal use only In short, yes, the first created user (the only one created by D-I) is added to the audio group, among a few others. signature.asc Description: Digital signature
Re: the audio group
Op Sat, 16 Aug 2014 08:55:27 +0200 schreef Christian PERRIER bubu...@debian.org: In short, yes, the first created user (the only one created by D-I) is added to the audio group, among a few others. with systemd as the default init system. systemd/ logind sets the right permissions for the sound devices [1], so I think it is unnecessary to add somebody to the audio group. (And missing all the fancy stuff systemd brings to us.) Thanks, floris [1] $ getfacl /dev/snd/* ... # file: controlC3 # owner: root # group: audio user::rw- user:floris:rw- group::rw- mask::rw- other::--- # file: pcmC3D0p # owner: root # group: audio user::rw- user:floris:rw- group::rw- mask::rw- other::--- # file: seq # owner: root # group: audio user::rw- user:floris:rw- group::rw- mask::rw- other::--- # file: timer # owner: root # group: audio user::rw- user:floris:rw- group::rw- mask::rw- other::--- ... -- To UNSUBSCRIBE, email to debian-boot-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/op.xkphisv55k9...@jessica.jkfloris.demon.nl
Re: the audio group
Floris jkflo...@dds.nl (2014-08-17): Op Sat, 16 Aug 2014 08:55:27 +0200 schreef Christian PERRIER bubu...@debian.org: In short, yes, the first created user (the only one created by D-I) is added to the audio group, among a few others. with systemd as the default init system. systemd/ logind sets the right permissions for the sound devices [1], so I think it is unnecessary to add somebody to the audio group. (And missing all the fancy stuff systemd brings to us.) I don't think you have explained why having the first user in the audio group is going to be a problem? If systemd makes that unnecessary, then that's great but adding the first user to the said group isn't an issue as far as I can tell? Mraw, KiBi. signature.asc Description: Digital signature
Re: the audio group
Op Sun, 17 Aug 2014 00:45:15 +0200 schreef Cyril Brulebois k...@debian.org: Floris jkflo...@dds.nl (2014-08-17): Op Sat, 16 Aug 2014 08:55:27 +0200 schreef Christian PERRIER bubu...@debian.org: In short, yes, the first created user (the only one created by D-I) is added to the audio group, among a few others. with systemd as the default init system. systemd/ logind sets the right permissions for the sound devices [1], so I think it is unnecessary to add somebody to the audio group. (And missing all the fancy stuff systemd brings to us.) I don't think you have explained why having the first user in the audio group is going to be a problem? If systemd makes that unnecessary, then that's great but adding the first user to the said group isn't an issue as far as I can tell? Mraw, KiBi. When somebody create a multiseat setup [1] all sound devices are shown and controllable to all users. floris [1] (one computer with multiple Xservers, keyboards and mice, so multiple people can login and use the same computer) http://code.lexarcana.com/posts/simple-multiseat-setup-on-fedora-17.html -- To UNSUBSCRIBE, email to debian-boot-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/op.xkpjczt35k9...@jessica.jkfloris.demon.nl
Re: the audio group
with systemd as the default init system. systemd/ logind sets the right permissions for the sound devices [1], so I think it is unnecessary to add somebody to the audio group. (And missing all the fancy stuff systemd brings to us.) I don't think you have explained why having the first user in the audio group is going to be a problem? If systemd makes that unnecessary, then that's great but adding the first user to the said group isn't an issue as far as I can tell? Mraw, KiBi. to be more exact: (in human) if init = systemd; then don't add user to audio group fi so logind can set the right permissions. and maybe it would be smart to add the first user to the systemd-journal group, but that is another question. floris -- To UNSUBSCRIBE, email to debian-boot-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/op.xkpj36li5k9...@jessica.jkfloris.demon.nl
Re: the audio group
On Fri, Aug 15, 2014 at 08:59:37PM +0200, Floris wrote: Dear Debian installation system Maintainers, I was wondering if a user is still automatically added to the audio group? Because it will break a systemd-pulseaudio-multiseat setup. I thought it was still done. And not doing it seems like it would break all existing setups. -- Len Sorensen -- To UNSUBSCRIBE, email to debian-boot-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140815193509.gd17...@csclub.uwaterloo.ca
Re: the audio group
Op Fri, 15 Aug 2014 21:35:09 +0200 schreef Lennart Sorensen lsore...@csclub.uwaterloo.ca: On Fri, Aug 15, 2014 at 08:59:37PM +0200, Floris wrote: Dear Debian installation system Maintainers, I was wondering if a user is still automatically added to the audio group? Because it will break a systemd-pulseaudio-multiseat setup. I thought it was still done. And not doing it seems like it would break all existing setups. Can you explain what would break? Pulseaudio doesn't need/ works without the audio group. The pulseaudio mailing list [1] explains: ...ConsoleKit/logind should set audio device (/dev/snd/*) permissions so that only the currently active user has access to the devices. ... I don't know about the current situation, but I believe at least in the past Debian used to add users automatically to the audio group, which overrides any fancy logic that ConsoleKit/logind tries to implement. Users in the audio group always have access to all devices. Or is this a feature for Debian Pulseaudio? So when pulseaudio is installed in Debian, a user is removed from the audio group. Thanks, floris [1] http://lists.freedesktop.org/archives/pulseaudio-discuss/2014-August/021189.html -- To UNSUBSCRIBE, email to debian-boot-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/op.xknlsrci5k9...@jessica.jkfloris.demon.nl