From: Randolph Sapp <rs@ti.com>
To: <rs@ti.com>, <richard.purdie@linuxfoundation.org>,
<mathieu.dubois-briand@bootlin.com>, <alex@linutronix.de>,
<otavio@ossystems.com.br>, <kexin.hao@windriver.com>
Cc: <afd@ti.com>, <detheridge@ti.com>, <denis@denix.org>,
<reatmon@ti.com>, <openembedded-core@lists.openembedded.org>,
<vijayp@ti.com>
Subject: Re: [oe-core][PATCHv10 6/7] xserver-nodm-init: convert to virtual-emptty-conf
Date: Wed, 24 Sep 2025 17:47:55 -0500 [thread overview]
Message-ID: <DD1EACB7UHYA.3OG9HIG2W5CS2@ti.com> (raw)
In-Reply-To: <18680FA2E4B5FED3.1251@lists.openembedded.org>
On Tue Sep 23, 2025 at 7:13 PM CDT, Randolph Sapp via lists.openembedded.org wrote:
> On Tue Sep 23, 2025 at 5:51 PM CDT, Randolph Sapp via lists.openembedded.org wrote:
>> From: Randolph Sapp <rs@ti.com>
>>
>> Convert this script package into a simple config for emptty. This is
>> capable of using either the root user or the underprivileged xuser
>> account based on the same ROOTLESS_X variable. The xuser will leverage
>> the nopasswdlogin session provided by emptty for automatic logins.
>> Runtime provide virtual-emptty-conf as we need to set parameters for the
>> default session.
>>
>> This also gets rid of the xuser security/capability override since
>> emptty sets up required components as root before descending into the
>> specified user. This does not currently handle loading of autostart
>> applications in "/etc/xdg/autostart".
>>
>> This explicitly removes rooted x11 support for security related issues,
>> as this recipe has always automatically setup passwordless login for the
>> specified account. This was particularly useful for the underprivileged
>> xuser account, but is quickly a problem for the root user.
>>
>> See the following discussion for additional information:
>> https://lists.openembedded.org/g/openembedded-core/topic/115318655#msg223906
>>
>> License-Update: GPLv2 scripts were replaced with MIT based config files
>> Signed-off-by: Randolph Sapp <rs@ti.com>
>> ---
>> meta/conf/distro/include/maintainers.inc | 4 +-
>> meta/lib/oeqa/runtime/cases/xorg.py | 8 +
>> .../x11-common/xserver-nodm-init/X11/Xsession | 38 --
>> .../X11/Xsession.d/13xdgbasedirs.sh | 19 -
>> .../X11/Xsession.d/89xdgautostart.sh | 7 -
>> .../X11/Xsession.d/90XWindowManager.sh | 7 -
>> .../x11-common/xserver-nodm-init/Xserver | 25 --
>> .../xserver-nodm-init/capability.conf | 2 -
>> .../xserver-nodm-init/default.desktop | 5 +
>> .../xserver-nodm-init/emptty.conf.in} | 8 +-
>> .../xserver-nodm-init/gplv2-license.patch | 355 ------------------
>> .../x11-common/xserver-nodm-init/xserver-nodm | 75 ----
>> .../xserver-nodm-init/xserver-nodm.conf.in | 7 -
>> .../xserver-nodm-init/xserver-nodm.service.in | 11 -
>> .../x11-common/xserver-nodm-init_3.0.bb | 64 +---
>> .../user-creation/xuser-account_0.1.bb | 3 +-
>> 16 files changed, 35 insertions(+), 603 deletions(-)
>> delete mode 100644 meta/recipes-graphics/x11-common/xserver-nodm-init/X11/Xsession
>> delete mode 100644 meta/recipes-graphics/x11-common/xserver-nodm-init/X11/Xsession.d/13xdgbasedirs.sh
>> delete mode 100644 meta/recipes-graphics/x11-common/xserver-nodm-init/X11/Xsession.d/89xdgautostart.sh
>> delete mode 100644 meta/recipes-graphics/x11-common/xserver-nodm-init/X11/Xsession.d/90XWindowManager.sh
>> delete mode 100644 meta/recipes-graphics/x11-common/xserver-nodm-init/Xserver
>> delete mode 100644 meta/recipes-graphics/x11-common/xserver-nodm-init/capability.conf
>> create mode 100644 meta/recipes-graphics/x11-common/xserver-nodm-init/default.desktop
>> copy meta/recipes-graphics/{wayland/weston-init/emptty.conf => x11-common/xserver-nodm-init/emptty.conf.in} (95%)
>> delete mode 100644 meta/recipes-graphics/x11-common/xserver-nodm-init/gplv2-license.patch
>> delete mode 100755 meta/recipes-graphics/x11-common/xserver-nodm-init/xserver-nodm
>> delete mode 100644 meta/recipes-graphics/x11-common/xserver-nodm-init/xserver-nodm.conf.in
>> delete mode 100644 meta/recipes-graphics/x11-common/xserver-nodm-init/xserver-nodm.service.in
>>
[snip]
>> diff --git a/meta/recipes-graphics/x11-common/xserver-nodm-init_3.0.bb b/meta/recipes-graphics/x11-common/xserver-nodm-init_3.0.bb
>> index 169269eefb..1fc10159e8 100644
>> --- a/meta/recipes-graphics/x11-common/xserver-nodm-init_3.0.bb
>> +++ b/meta/recipes-graphics/x11-common/xserver-nodm-init_3.0.bb
>> @@ -1,25 +1,16 @@
>> SUMMARY = "Simple Xserver Init Script (no dm)"
>> -LICENSE = "GPL-2.0-only"
>> -LIC_FILES_CHKSUM = "file://COPYING;md5=751419260aa954499f7abaabaa882bbe"
>> +LICENSE = "MIT"
>> +LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
>> SECTION = "x11"
>>
>> -SRC_URI = "file://xserver-nodm \
>> - file://Xserver \
>> - file://X11 \
>> - file://gplv2-license.patch \
>> - file://xserver-nodm.service.in \
>> - file://xserver-nodm.conf.in \
>> - file://capability.conf \
>> -"
>> +SRC_URI = "file://emptty.conf.in \
>> + file://default.desktop"
>>
>> S = "${UNPACKDIR}"
>>
>> -# Since we refer to ROOTLESS_X which is normally enabled per-machine
>> -PACKAGE_ARCH = "${MACHINE_ARCH}"
>> +inherit features_check
>>
>> -inherit update-rc.d systemd features_check
>> -
>> -REQUIRED_DISTRO_FEATURES = "x11 ${@oe.utils.conditional('ROOTLESS_X', '1', 'pam', '', d)}"
>> +REQUIRED_DISTRO_FEATURES = "x11 pam"
>
> Ah, something for the future. PAM is a requirement for passwordless login right
> now. Emptty supports generic authentication without pam though. I could extend
> emptty's auth_nopam_linux.go and config to allow passwordless authentication in
> pamless environments by using a group dictated in the emptty-conf. Assuming
> people are interested in that.
Actually I was mistaken. It already performs passwordless auth for the listed
autologin user if pam is not present. The pam dependency in this recipe can be
dropped in the next revision.
>> PACKAGECONFIG ??= "blank"
>> # dpms and screen saver will be on only if 'blank' is in PACKAGECONFIG
>> @@ -27,45 +18,18 @@ PACKAGECONFIG[blank] = ""
>> PACKAGECONFIG[nocursor] = ""
>>
>> do_install() {
>> - install -d ${D}${sysconfdir}/default
>> - install xserver-nodm.conf.in ${D}${sysconfdir}/default/xserver-nodm
>> - install -d ${D}${sysconfdir}/xserver-nodm
>> - install Xserver ${D}${sysconfdir}/xserver-nodm/Xserver
>> - install -d ${D}${sysconfdir}/X11/Xsession.d
>> - install X11/Xsession.d/* ${D}${sysconfdir}/X11/Xsession.d/
>> - install X11/Xsession ${D}${sysconfdir}/X11/
>> + install -D -p -m0644 ${S}/emptty.conf.in ${D}${sysconfdir}/emptty/conf
>> + install -D -p -m0644 ${S}/default.desktop ${D}${datadir}/xsessions/default.desktop
>>
>> BLANK_ARGS="${@bb.utils.contains('PACKAGECONFIG', 'blank', '', '-s 0 -dpms', d)}"
>> NO_CURSOR_ARG="${@bb.utils.contains('PACKAGECONFIG', 'nocursor', '-nocursor', '', d)}"
>> - if [ "${ROOTLESS_X}" = "1" ] ; then
>> - XUSER_HOME="/home/xuser"
>> - XUSER="xuser"
>> - install -D capability.conf ${D}${sysconfdir}/security/capability.conf
>> - sed -i "s:@USER@:${XUSER}:" ${D}${sysconfdir}/security/capability.conf
>> - else
>> - XUSER_HOME=${ROOT_HOME}
>> - XUSER="root"
>> - fi
>> - sed -i "s:@HOME@:${XUSER_HOME}:; s:@USER@:${XUSER}:; s:@BLANK_ARGS@:${BLANK_ARGS}:" \
>> - ${D}${sysconfdir}/default/xserver-nodm
>> - sed -i "s:@NO_CURSOR_ARG@:${NO_CURSOR_ARG}:" ${D}${sysconfdir}/default/xserver-nodm
>> -
>> - if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
>> - install -d ${D}${systemd_system_unitdir}
>> - install -m 0644 ${S}/xserver-nodm.service.in ${D}${systemd_system_unitdir}/xserver-nodm.service
>> - sed -i "s:@USER@:${XUSER}:" ${D}${systemd_system_unitdir}/xserver-nodm.service
>> - fi
>>
>> - if ${@bb.utils.contains('DISTRO_FEATURES','sysvinit','true','false',d)}; then
>> - install -d ${D}${sysconfdir}/init.d
>> - install xserver-nodm ${D}${sysconfdir}/init.d
>> - fi
>> + sed -i "s:@NO_CURSOR_ARG@:${NO_CURSOR_ARG}:" ${D}${sysconfdir}/emptty/conf
>> + sed -i "s:@BLANK_ARGS@:${BLANK_ARGS}:" ${D}${sysconfdir}/emptty/conf
>> }
>>
>> -RDEPENDS:${PN} = "xinit ${@oe.utils.conditional('ROOTLESS_X', '1', 'xuser-account libcap libcap-bin', '', d)}"
>> -
>> -INITSCRIPT_NAME = "xserver-nodm"
>> -INITSCRIPT_PARAMS = "start 9 5 . stop 20 0 1 2 3 6 ."
>> -SYSTEMD_SERVICE:${PN} = "xserver-nodm.service"
>> +FILES:${PN} = "${sysconfdir}/emptty/conf \
>> + ${datadir}/xsessions/default.desktop"
>>
>> -RCONFLICTS:${PN} = "xserver-common (< 1.34-r9) x11-common"
>> +RDEPENDS:${PN} = "emptty xuser-account"
>> +RPROVIDES:${PN} += "virtual-emptty-conf"
>> diff --git a/meta/recipes-support/user-creation/xuser-account_0.1.bb b/meta/recipes-support/user-creation/xuser-account_0.1.bb
>> index 04f506e7a3..f1e4cb674f 100644
>> --- a/meta/recipes-support/user-creation/xuser-account_0.1.bb
>> +++ b/meta/recipes-support/user-creation/xuser-account_0.1.bb
>> @@ -24,7 +24,8 @@ FILES:${PN} = "${sysconfdir}/dbus-1/system.d/system-xuser.conf"
>>
>> USERADD_PACKAGES = "${PN}"
>> USERADD_PARAM:${PN} = "--create-home \
>> - --groups video,tty,audio,input,shutdown,disk \
>> + --groups video,tty,audio,input,shutdown,disk,nopasswdlogin \
>> --user-group xuser"
>> +GROUPADD_PARAM:${PN} = "-r nopasswdlogin"
>>
>> ALLOW_EMPTY:${PN} = "1"
prev parent reply other threads:[~2025-09-24 22:48 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-23 22:51 [oe-core][PATCHv10 0/7] Display manager proposal for x11 and wayland rs
2025-09-23 22:51 ` [oe-core][PATCHv10 1/7] libx11: create tmpfile dir for x11 domain socket rs
2025-09-23 22:51 ` [oe-core][PATCHv10 2/7] go: fix sigaction usage on i386 platforms rs
2025-09-23 22:51 ` [oe-core][PATCHv10 3/7] emptty: add version 0.14.0 rs
2025-09-23 22:51 ` [oe-core][PATCHv10 4/7] weston-init: convert to virtual-emptty-conf rs
2025-09-23 23:03 ` Patchtest results for " patchtest
2025-09-23 22:51 ` [oe-core][PATCHv10 5/7] weston: remove deprecated weston-start scripts rs
2025-09-23 22:51 ` [oe-core][PATCHv10 6/7] xserver-nodm-init: convert to virtual-emptty-conf rs
2025-09-23 22:51 ` [oe-core][PATCHv10 7/7] xuser-account: merge with xserver-nodm-init rs
2025-09-23 22:57 ` Richard Purdie
2025-09-23 23:38 ` Randolph Sapp
[not found] ` <18680DB08C963B21.19236@lists.openembedded.org>
2025-09-25 22:29 ` Randolph Sapp
2025-09-23 23:03 ` Patchtest results for " patchtest
[not found] ` <18680B2C26D3ACFF.17085@lists.openembedded.org>
2025-09-24 0:13 ` [oe-core][PATCHv10 6/7] xserver-nodm-init: convert to virtual-emptty-conf Randolph Sapp
[not found] ` <18680FA2E4B5FED3.1251@lists.openembedded.org>
2025-09-24 22:47 ` Randolph Sapp [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DD1EACB7UHYA.3OG9HIG2W5CS2@ti.com \
--to=rs@ti.com \
--cc=afd@ti.com \
--cc=alex@linutronix.de \
--cc=denis@denix.org \
--cc=detheridge@ti.com \
--cc=kexin.hao@windriver.com \
--cc=mathieu.dubois-briand@bootlin.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=otavio@ossystems.com.br \
--cc=reatmon@ti.com \
--cc=richard.purdie@linuxfoundation.org \
--cc=vijayp@ti.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox