Re: running s6-rc as unpriviledged user

From: Laurent Bercot <ska-skaware_at_skarnet.org>
Date: Sun, 28 Feb 2016 00:54:27 +0100

On 28/02/2016 00:25, Terrel Shumway wrote:
> sv/wm/run execs dwm
> sv/xterm/run execs x-terminal-emulator (running xterm supervised is fun)
> sv/xserver/run execs the X server (Xephyr for testing)
> sv/ssh-agent/run execs ssh-agent in non-daemon mode

  Your problem here is user discrepancy. xserver runs as root, so has to
belong to your root supervision tree. All your other processes should belong
to the user getting an X session. Also, don't forget that several users can
have a session with a single X server (think remote X clients) so having
only one fixed instance for your X clients sounds like bad design.


> However, I thought it would be cool to use the dependency stuff of s6-rc
> to say that wm and xterm depend on xserver.

  You can do that. However, I really advise you to follow the programs' logic.
You only start your X clients when a user has logged in; and all those
clients have their own set of dependencies, that's independent from the
rest of the system.

  What I would do is the following: when user foo logs, start (via the .xsession
or whatever script does the job) an independent supervision tree *owned by
user foo*. User foo can then run s6-rc-init on their own scandir, and populate
it via s6-rc calls.


> The first thing that happened when I tried to run s6-rc-init was a core
> dump on strlen. Is this a symptom of not running as root?

  Probably not, no. When you try to run s6-rc-init on the root supervision tree
as an unprivileged user, you should get some system call fail with a
"Permission denied" error. Definitely not a core dump.


> How do I debug this?

  By default, strace. But if the program crashes, gdb ? Still, if you have made
s6-rc-init crash, please first check that you're using the latest version, then
send me as many details as you can (strace output, OS details, etc.)


> *Why* does s6-rc-init need to run as root?

  Strictly speaking, it doesn't. But it does need to run as the owner of the
supervision tree: it needs to be able to write to the scandir and to s6-svscan's
control pipe. If you're trying to run s6-rc-init on a supervision tree that runs
as root, then it needs to be root.

  If you create a separate supervision tree, owned by user foo, when user foo
logs in to X, you can run s6-rc-init on it, on a separate live directory.

-- 
  Laurent
Received on Sat Feb 27 2016 - 23:54:27 UTC

This archive was generated by hypermail 2.3.0 : Sun May 09 2021 - 19:38:49 UTC