I read this https://www.freedesktop.org/software/systemd/man/sd-login.html
But a process run in a systemd session still can access all the device nodes under /dev, so what really is the point of systemd introducing the concept "seat".
Add a comment
|
1 Answer
Are you thinking in terms of running as root? This is essentially for non-root users.
The concept "seat" is for situations where you want to service a maximum number of local users with a minimum amount of hardware (e.g. for schools or similar).
Computers can have multiple displays, keyboards and mice connected to a single desktop box, so with systemd, one desktop with two displays, keyboards and mice can provide two separate GUI sessions simultaneously if desired.
In a normal single-seat configuration, any hotpluggable USB devices normally have their device node permissions set so that a locally-logged-in user can automatically use them, but users logging in remotely (e.g. with SSH) cannot use them unless they are root or members of special user groups like plugdev.
With a multi-seat configuration, any such devices will by default belong to the default seat seat0: the administrator can configure specific devices to other seats instead.
-
ACL of device nodes can be changed(manually by administrator or udev rules), so a non-root process in a systemd session may also access a device which is not assigned to the seat of the systemd session. This is very confusing, is seat just a tag assigned to a device? Does the kernel know about this tag? Is this tag not mandatory but advisory?炸鱼薯条德里克– 炸鱼薯条德里克2020-08-02 11:33:20 +00:00Commented Aug 2, 2020 at 11:33
-
If I recall correctly, PAM will modify some device ACLs on console login/logout. The seat tags will control which devices will get ACLs assigned when someone logs in on the console (on a specific seat, if multiple seats have been configured). Multi-seat configuration requires some work from the administrator as each hardware setup will be different: it's not quite so "ready-for-use" as a regular single-seat configuration, but more of a set of tools for the administrator.telcoM– telcoM2020-08-02 11:42:34 +00:00Commented Aug 2, 2020 at 11:42
-
But ACL only match UID and GID, what if the same user login twice on different seats? Then a process in one session can access devices of the seat of another session炸鱼薯条德里克– 炸鱼薯条德里克2020-08-03 22:00:17 +00:00Commented Aug 3, 2020 at 22:00
-
But then it's the same user on both seats, so there is no problem.telcoM– telcoM2020-08-03 22:07:25 +00:00Commented Aug 3, 2020 at 22:07