multi-user, udev, consolkit, oh my

multi-user, udev, consolkit, oh my

[Yan Seiner]

I'm working on multi-user setups.

I'd like to be assign some resources - like a USB hub - to a seat and 
have hotplug for that hub work only for that seat.

Currently, what happens is that a user plugs in a camera, and hal 
reports the event.  All of the concurrent gnome-volume-manager instances 
then try to grab that resource, and what results is a mess.

consolekit has been suggested as a way to resolve this, but I can't 
figure out how to use it.

googling around, I've found suggestions for using udev to limit access 
to usb devices by creating a group that only has access to the usb 
subsystem.

If I want to group some resources and only have those resources on 
behalf of a specific user, and not any other, is there a way to do 
that?  Can I set up groups for hotplugging usb devices and set it up so 
that the event is only reported to specific group members?

Thanks.,

--Yan

Re: multi-user, udev, consolkit, oh my

[Kay Sievers]

On Sun, Nov 16, 2008 at 16:31, Yan Seiner <yan@seiner.com> wrote:
> I'm working on multi-user setups.
>
> I'd like to be assign some resources - like a USB hub - to a seat and have
> hotplug for that hub work only for that seat.
>
> Currently, what happens is that a user plugs in a camera, and hal reports
> the event.  All of the concurrent gnome-volume-manager instances then try to
> grab that resource, and what results is a mess.
>
> consolekit has been suggested as a way to resolve this, but I can't figure
> out how to use it.

Yes, ConsoleKit/PolicyKit/HAL should be used as the basic
infrastructure to properly assign ACL's to devices for specific users.
ConsoleKit is the only way to track activitty of sessions, which is
what you need for shared devices, to grant access only to active
sessions. But I don't think anybody ever really used multi-seat
setups, so there is likely stuff that needs to be implemented.

> googling around, I've found suggestions for using udev to limit access to
> usb devices by creating a group that only has access to the usb subsystem.
>
> If I want to group some resources and only have those resources on behalf of
> a specific user, and not any other, is there a way to do that?

You can assign an owner or group to all devices below a specific USB
hub. You onlt need to identify the hub reliably.

> Can I set up groups for hotplugging usb devices

You can assign owners/groups to specific devices, based on matches od
properties of the devices, but you can not setup "groups for
hotplugging".

> and set it up so that the event is only reported to specific group members?

There are no user specific events, udev acts at the system level, just
like the kernel, it has no idea who receives which event.

Kay

Re: multi-user, udev, consolkit, oh my

[Yan Seiner]

Kay Sievers wrote:
> On Sun, Nov 16, 2008 at 16:31, Yan Seiner <yan@seiner.com> wrote:
>   
>> I'm working on multi-user setups.
>>
>> I'd like to be assign some resources - like a USB hub - to a seat and have
>> hotplug for that hub work only for that seat.
>>
>> Currently, what happens is that a user plugs in a camera, and hal reports
>> the event.  All of the concurrent gnome-volume-manager instances then try to
>> grab that resource, and what results is a mess.
>>
>> consolekit has been suggested as a way to resolve this, but I can't figure
>> out how to use it.
>>     
>
> Yes, ConsoleKit/PolicyKit/HAL should be used as the basic
> infrastructure to properly assign ACL's to devices for specific users.
> ConsoleKit is the only way to track activitty of sessions, which is
> what you need for shared devices, to grant access only to active
> sessions. But I don't think anybody ever really used multi-seat
> setups, so there is likely stuff that needs to be implemented.
>
>   
>> googling around, I've found suggestions for using udev to limit access to
>> usb devices by creating a group that only has access to the usb subsystem.
>>
>> If I want to group some resources and only have those resources on behalf of
>> a specific user, and not any other, is there a way to do that?
>>     
>
> You can assign an owner or group to all devices below a specific USB
> hub. You onlt need to identify the hub reliably.
>
>   

Thanks for the information.  At least I'm on the right track...  I've 
been reading up on dbus and hal, but I can't really find how dbus, 
ConsoleKit, and hal all work together.  It looks like the policies in 
/etc/dbus-1/session.conf might do what I need, but I can't find any 
documentation on what policies are available and how to set them.

The overall idea is that we put up an X session on every available 
screen and ask the user to hit a specific key on the keyboard.  The key 
is different for each X session.  Once we have the keyboard event, we 
can tell which USB hub it came from and we can assign the USB hub it's 
plugged into to that seat.  We can then scan the hub for mouse, audio, 
mass storage, whatever and handle them on behalf of that user.

 From that point on, any event that takes place on that hub only gets 
handled by that user's session.  That's the long-term goal. Right now it 
would be nice just to be able to limit gnome-volume-manager to a single 
hub, even if I have to hard-code the hub in some config file.

I'm new to the whole dbus/hal thing so I would appreciate any pointers 
to docs or discussion that might help me out.

--Yan