You are not logged in.

#1 2012-10-27 21:41:17

Antoine
Member
From: Picton Ontario
Registered: 2012-10-11
Posts: 90

systemd -- remove user from certain groups?

I note a newish note in the wiki entry regarding systemd:

Note: Adding your user to groups (optical, audio, scanner, ...) is not necessary with systemd. It might even break the wanted functionality if you do so.

I set up my system before I moved to systemd and before this note was added; I  have a working "pure" systemd system; should I now remove my user from those groups?

FWIW, I don't have an optical drive or scanner attached, and the audio seems to work just fine (with XBMC, 5.1, HDMI and all through alsa).

Offline

#2 2012-10-27 21:48:35

ataraxia
Member
From: Pittsburgh
Registered: 2007-05-06
Posts: 1,537

Re: systemd -- remove user from certain groups?

I was curious about this as well, so I tried it. My user is only in group "users" and everything works just as well as it did before.

Offline

#3 2012-10-27 21:55:09

65kid
Member
From: Germany
Registered: 2011-01-26
Posts: 663

Re: systemd -- remove user from certain groups?

you don't even need "users". If you are in a local logind/ConsoleKit session everything should work fine. What you may however still need are groups like "sudo" or "vboxusers", depending on your use case.

Offline

#4 2012-10-27 21:58:57

ataraxia
Member
From: Pittsburgh
Registered: 2007-05-06
Posts: 1,537

Re: systemd -- remove user from certain groups?

True, "users" isn't anything special, but an account has to have some group as primary, and that's the one I was already using.

Offline

#5 2012-10-27 22:02:50

loafer
Member
From: the pub
Registered: 2009-04-14
Posts: 1,683

Re: systemd -- remove user from certain groups?

Out of interest does anyone know why adding a user to e.g. optical would break functionality with systemd?


All men have stood for freedom...
For freedom is the man that will turn the world upside down.
Gerrard Winstanley.

Offline

#6 2012-10-27 22:07:46

65kid
Member
From: Germany
Registered: 2011-01-26
Posts: 663

Re: systemd -- remove user from certain groups?

I've never heard that the groups could actually cause problems. I would also love to know if this is actually true and why that is.

Offline

#7 2012-10-27 22:27:38

firecat53
Member
From: Sammamish, Wa
Registered: 2007-05-14
Posts: 1,440
Website

Re: systemd -- remove user from certain groups?

I also converted to a 'pure' systemd system a while ago. I removed myself from all groups but wheel, users and vboxusers. The only issue I had was I no longer had a sound card for pulseaudio to find. Adding myself back in to the audio group fixed that. The wiki says to be in the 'audio' group for pulseaudio, even though other places I thought I had read that wasn't necessary.

Using monsterwm without any consolekit/policykit stuff.

Scott

Offline

#8 2012-10-27 22:36:44

WonderWoofy
Member
From: Los Gatos, CA
Registered: 2012-05-19
Posts: 8,412

Re: systemd -- remove user from certain groups?

I got a new SSD two days ago, and decided just to reinstall since I was moving to a much smaller drive.

%  groups
adm wheel users

BTW, adm just allows non-root users to use journalctl, which I find handy.

Edit: I too would like to know what kinds of issues might arise with the previous recommended groups setup.

Last edited by WonderWoofy (2012-10-27 22:37:36)

Offline

#9 2012-10-27 23:33:10

ZekeSulastin
Member
Registered: 2010-09-20
Posts: 266

Re: systemd -- remove user from certain groups?

firecat53 wrote:

The wiki says to be in the 'audio' group for pulseaudio, even though other places I thought I had read that wasn't necessary.

Because it's not:

>> master * > ~ ps aux | grep pulse && id
  412 ?        S<l    8:09 /usr/bin/pulseaudio --start
20332 pts/5    S+     0:00 grep --color=auto pulse
uid=1000(zekesulastin) gid=100(users) groups=100(users),10(wheel),10000(media)

As far as I can understand, the main purpose of keeping local users out of the groups is to prevent things from completely grabbing devices they shouldn't, i.e. an ALSA program going around dmix/pulse or one logged in user preventing another logged in user from using sound or whatnot.

Offline

#10 2012-10-28 02:26:22

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 5,661

Re: systemd -- remove user from certain groups?

Does the same apply to e.g. power, storage, lp etc.? I currently have:

lp wheel log games video audio optical storage scanner power users

in addition to my own group and a custom one. In my case, I definitely want users, wheel and log (still using syslog in conjunction with systemd's journal). I suspect I want lp, too. But are any of the others necessary (games, video, audio, optical, storage, scanner, power)?


How To Ask Questions The Smart Way | Help Vampires

Arch Linux | x86_64 | GPT | EFI boot | grub2 | systemd | LVM2 on LUKS
Lenovo x121e | Intel(R) Core(TM) i3-2367M CPU @ 1.40GHz GenuineIntel | Intel Centrino Wireless-N 1000 | US keyboard with Euro | 320G 7200 RPM Seagate HDD

Offline

#11 2012-10-28 03:17:05

WonderWoofy
Member
From: Los Gatos, CA
Registered: 2012-05-19
Posts: 8,412

Re: systemd -- remove user from certain groups?

@cfr, I just tested if I could still print, and sure enough... no problem.  I would think that if you want to administer the printers with cups, then you may need to be in sys though.  Maybe I should try that real quick.

Edit: it would not let me administer cups... I tried to add a printer, and it wouldn't work.  I guess I could add myself to sys, but I am also the only user of this machine, so I am root as well.  I guess it would really serve no purpose.  Can anyone indicate a reason why I should use the sys group rather than simply configure cups as root?

Last edited by WonderWoofy (2012-10-28 03:19:23)

Offline

#12 2012-10-28 18:27:42

65kid
Member
From: Germany
Registered: 2011-01-26
Posts: 663

Re: systemd -- remove user from certain groups?

there has been some discussion on [arch-general] on whether these groups can actually cause problems (in short: yes they can):

https://mailman.archlinux.org/pipermail … 31794.html

Offline

#13 2012-10-28 19:41:19

Antoine
Member
From: Picton Ontario
Registered: 2012-10-11
Posts: 90

Re: systemd -- remove user from certain groups?

65kid wrote:

there has been some discussion on [arch-general] on whether these groups can actually cause problems (in short: yes they can):

The wiki entry has been re-written to clarify things somewhat too:

https://wiki.archlinux.org/index.php/Sy … nformation

Offline

#14 2012-10-28 19:49:45

graysky
Member
From: /run/user/1000
Registered: 2008-12-01
Posts: 8,441
Website

Re: systemd -- remove user from certain groups?

Interesting discussion.  Antoine - thank you for updated the wiki.  Can you or can someone else make a clear statement as to which groups a user CAN be in?

Example:

Bad membership under systemd = lp audio optical storage power
Good membership under systemd = wheel log sys adm truecrypt vboxusers

Last edited by graysky (2012-10-28 19:50:11)


CPU-optimized Linux-ck packages @ Repo-ck  • AUR packagesZsh and other configs

Offline

#15 2012-10-28 20:13:36

Antoine
Member
From: Picton Ontario
Registered: 2012-10-11
Posts: 90

Re: systemd -- remove user from certain groups?

graysky wrote:

Interesting discussion.  Antoine - thank you for updated the wiki.

Oh, sorry about the confusion -- it wasn't me who updated the wiki. I'm not that smart. I just posted a link.

Offline

#16 2012-10-28 21:59:33

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 5,661

Re: systemd -- remove user from certain groups?

Thanks. I'm now trying:

adm wheel log users <usergroup> <custom>

I'm assuming that the strictures on the use of local groups under systemd do not make custom groups inappropriate since nothing centrally should even know about those.

I also use root to manage printers under cups and would be interested to know if there is any reason this is bad. And a statement of the sort graysky requested would be very useful indeed. (What is covered by the "..." in the current one?!)


How To Ask Questions The Smart Way | Help Vampires

Arch Linux | x86_64 | GPT | EFI boot | grub2 | systemd | LVM2 on LUKS
Lenovo x121e | Intel(R) Core(TM) i3-2367M CPU @ 1.40GHz GenuineIntel | Intel Centrino Wireless-N 1000 | US keyboard with Euro | 320G 7200 RPM Seagate HDD

Offline

#17 2012-10-28 23:50:44

WonderWoofy
Member
From: Los Gatos, CA
Registered: 2012-05-19
Posts: 8,412

Re: systemd -- remove user from certain groups?

So one thing I noticed after removing most of my groups is that I was no longer able to access /dev/fb0 with mplayer.

My groups are now

 adm,sys,wheel,users 

Not suprisingly, /dev/fb0 is owned by root with video as its group.  So its permissions are as follows

crw-rw---- 1 root video 29, 0 Oct 28 08:52 /dev/fb0

So I have now re-added myself back to the video group until I can determine if there is a way to fix this.


Edit: Okay so I fixed it.  After looking through 70-uaccess.rules, it seemed pretty apparent what I was supposed to be doing.  So I copied the file to /etc/udev/rules.d/70-uaccess.rules and added the following

# framebuffer
SUBSYSTEM=="graphics", KERNEL=="fb0", TAG+="uaccess"

Of course I put this before the 'LABEL="uaccess_end"' line.

So I guess now I have more questions... is this safe to do, or is there a reason why logind was not set up to give the user framebuffer access? 

Honestly, at this point in time, I kind of feel more comfortable using the old groups method, as it is a system I know.  But I figure if I am switching to systemd, it is all or nothing.  I am going to learn a new way, as there is no point to doing it half-assed. 

So is there anyone out there that can shed light on whether or not this is a sane thing to do?  If so, should it be done upstream?  I would imagine there are a lot of frambuffer users out there who could benefit from this.

Any input would be appreciated!

Last edited by WonderWoofy (2012-10-29 00:07:35)

Offline

#18 2012-10-29 02:03:51

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 5,661

Re: systemd -- remove user from certain groups?

I suspect the issue should be reported but whether that is a packaging or upstream issue, I'm not sure. (I followed one of the links earlier and when it didn't just work, the developer response was basically that it should work. I realise framebuffer is a different issue but it seems like the same principle. If it is meant to work without local groups by default, presumably that must go for anything which used to require membership of those particular groups?)


How To Ask Questions The Smart Way | Help Vampires

Arch Linux | x86_64 | GPT | EFI boot | grub2 | systemd | LVM2 on LUKS
Lenovo x121e | Intel(R) Core(TM) i3-2367M CPU @ 1.40GHz GenuineIntel | Intel Centrino Wireless-N 1000 | US keyboard with Euro | 320G 7200 RPM Seagate HDD

Offline

#19 2012-10-29 02:44:29

WonderWoofy
Member
From: Los Gatos, CA
Registered: 2012-05-19
Posts: 8,412

Re: systemd -- remove user from certain groups?

Well, that is what I was thinking.  But I am not sure.  I do not know enough about the framebuffer or security to know if it poses a risk or not.

Offline

#20 2012-10-29 03:10:05

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 5,661

Re: systemd -- remove user from certain groups?

I need to be in the power group to suspend, it seems. At least, KDE won't let the laptop sleep otherwise.

So maybe the power group isn't in the "..."?


How To Ask Questions The Smart Way | Help Vampires

Arch Linux | x86_64 | GPT | EFI boot | grub2 | systemd | LVM2 on LUKS
Lenovo x121e | Intel(R) Core(TM) i3-2367M CPU @ 1.40GHz GenuineIntel | Intel Centrino Wireless-N 1000 | US keyboard with Euro | 320G 7200 RPM Seagate HDD

Offline

#21 2012-10-29 03:29:04

WonderWoofy
Member
From: Los Gatos, CA
Registered: 2012-05-19
Posts: 8,412

Re: systemd -- remove user from certain groups?

The file that takes care of uaccess is a udev rule.  It is located at /usr/lib/udev/rules.d/70-uaccess.rules and is pretty easy to comprehend if you have ever made any kind of attempt at writing a udev rule.  If not, I found this to be very useful http://www.reactivated.net/writing_udev_rules.html although you should be aware the commands mention have now been changed to udevadm.  It seems as though all the mentioned flags are the same though.

As far as your suspend issue, I cannot comment on that, as it would seem a kde thing. Can you suspend from the command line, using the normal "systemctl suspend"?  Because my machine suspends no problem w/o being in the power group.

Though after checking, it seems that there is no mention of power in the file.  Here are the comments sorted out of the file (there is a descriptive comment for every uaccess rule):

grep \#\ [A-Za-z] 70-uaccess.rules
# PTP/MTP protocol devices, cameras, portable media players
# Digicams with proprietary protocol
# SCSI and USB scanners
# HPLIP devices (necessary for ink level check and HP tool maintenance)
# optical drives
# Sound devices
# ffado is an userspace driver for firewire sound cards
# Webcams, frame grabber, TV cards
# IIDC devices: industrial cameras and some webcams
# AV/C devices: camcorders, set-top boxes, TV sets, audio devices, and more
# DRI video devices
# KVM
# smart-card readers
# PDA devices
# Programmable remote control
# joysticks
# color measurement devices
# DDC/CI device, usually high-end monitors such as the DreamColor
# media player raw devices (for user-mode drivers, Android SDK, etc.)

Offline

#22 2012-10-29 10:01:42

65kid
Member
From: Germany
Registered: 2011-01-26
Posts: 663

Re: systemd -- remove user from certain groups?

regarding the /dev/fb0 access, I don't know whether it's safe, but as far as I understand udev rules, you don't have to copy 70-uaccess.rules to /etc but can create a custom file /etc/udev/rules.d/71-fb0-access.rules which only contains the fb0 entry. This way you wouldn't have to make sure that your custom 70-uaccess.rules stays up to date (although you probably should keep the uaccess_end rules in mind).

Offline

#23 2012-10-29 11:17:37

Mr.Elendig
#archlinux@freenode channel op
From: The intertubes
Registered: 2004-11-07
Posts: 3,721

Re: systemd -- remove user from certain groups?

Groups are still 'needed' for non-local logins, unless you do a bit of polkit rule rewriting.


Evil #archlinux@freenode channel op and general support dude.
. files on github, Screenshots, Random pics and the rest

Offline

#24 2012-10-29 11:45:46

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 5,661

Re: systemd -- remove user from certain groups?

WonderWoofy wrote:

As far as your suspend issue, I cannot comment on that, as it would seem a kde thing. Can you suspend from the command line, using the normal "systemctl suspend"?  Because my machine suspends no problem w/o being in the power group.

I'm sure it is a KDE thing. My logind.conf tells systemd to ignore everything. (The recommendation when I last checked was to let the DE handle this stuff if using one.) If I'm not in the power group, "sleep", for example, is not even an option in the power management settings panel.

I should probably be using the "ignore inhibited" option set to "yes" instead but I don't think that would make a difference here and I'm nervous about it for some reason.


How To Ask Questions The Smart Way | Help Vampires

Arch Linux | x86_64 | GPT | EFI boot | grub2 | systemd | LVM2 on LUKS
Lenovo x121e | Intel(R) Core(TM) i3-2367M CPU @ 1.40GHz GenuineIntel | Intel Centrino Wireless-N 1000 | US keyboard with Euro | 320G 7200 RPM Seagate HDD

Offline

#25 2012-10-29 14:10:02

WonderWoofy
Member
From: Los Gatos, CA
Registered: 2012-05-19
Posts: 8,412

Re: systemd -- remove user from certain groups?

@65kid, yeah, that is probably a much better idea.  I guess I just figured I should use it like /usr and /etc with systemd services.  But you are right, I should really not prevent the original from running.  Thanks for the tip.

@cfr, I know you have disabled the native systemd lid suspend and whatnot, but what about simply suspending from the command line with

$ systemctl suspend 

because if that works as the normal user, you would at least know it is not an permissions problem or unauthenticated session and instead probably something to do with the command kde is calling.

Offline

Board footer

Powered by FluxBB