iMX8MM & BSP6: Is it still necessary to launch weston as root?

Mowlwurf · January 17, 2023, 12:15pm

Hello,

I’m using a Verdin iMX8MM with BSP v6.0.
In the tdx-reference-multimedia-image weston is started with the systemd-service /lib/systemd/system/weston.service and the socket /lib/systemd/system/weston.socket. In this files the user and the group are set to root.

This allows only applications launched with root privileges to connect to the display server to show their content. I don’t think this is a good practice.

I found both files in the directory openembedded-core/meta/recipes-graphics/weston-init/ where user and group are set to weston resp. wayland. But the recipe meta-toradex-bsp-common/recipes-graphics/wayland/weston-init.bbappend changed these settings to root because of this commit.

Is this workaround still necessary? Why are user and group in weston.socket changed too?

Best regards,
Markus

kevin.tx · January 17, 2023, 3:56pm

Hi @Mowlwurf ,

Happy New Year

This change was performed by NXP and we from Toradex are basing our BSP on this. You can try to remove this change and see if it works without it.

As commented on Toradex’s weston-init.bbappend root is needed in order to access input devices and GPU.

Let us know how it goes.

Best Regards
Kevin

Mowlwurf · January 18, 2023, 9:21am

Hi @kevin.tx,

thank you for your fast reply.

In both files I changed back the user and group settings to the original ones and weston starts without problems. I added the unprivileged user to the groups video and wayland and was able to start a Qt app own by the user on a touchscreen. Touch and keyboard inputs are working too.

So for me it seems that this workaround isn’t necessary anymore.

Best regards,
Markus

kevin.tx · January 18, 2023, 9:58am

Hi @Mowlwurf ,

Thanks for confirming

We’ll pass that on internally.

Best Regards
Kevin

Mowlwurf · January 19, 2023, 1:48pm

Hi @kevin.tx,

I discovered a little downside of this: I can run the program feh only as user weston. When I try it as root I get the following error:

$ feh pictures/blue.png
Authorization required, but no authorization protocol specified
feh ERROR: Can't open X display. It *is* running, yeah?

Do you have an idea about this?

Best regards,
Markus

josep.tx · January 20, 2023, 3:06pm

Hello @Mowlwurf
feh is trying to use X, and our images have Weston with Xwayland by default, so maybe you need to check the DISPLAY environment variable in order to run feh.

On the other hand, you have the weston.ini file where you can set the wallpaper.

Please refer to this article to get more information about Weston. It refers to TorizonCore, but the same Weston configuration should work for our Reference images:

Best regards,
Josep

Mowlwurf · February 7, 2023, 9:14am

Hello @josep.tx,

thank you for your response. My environment variables and weston.ini are the default ones. So DISPLAY is set and xwayland is enabled:

$ printenv
SHELL=/bin/sh
SYSTEMD_COLORS=0
EDITOR=vi
PWD=/home/root
LOGNAME=root
HOME=/home/root
WAYLAND_DISPLAY=/run/wayland-0
SSH_CONNECTION=::ffff:192.168.0.2 54659 ::ffff:192.168.0.1 22
QT_QPA_PLATFORM=wayland-egl
TERM=xterm
USER=root
DISPLAY=:0.0
SHLVL=1
PS1=\h:\w\$
SSH_CLIENT=::ffff:192.168.0.2 54659 22
PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin
SSH_TTY=/dev/pts/0
_=/bin/printenv

$ cat /etc/xdg/weston/weston.ini
[core]
#gbm-format=argb8888
idle-time=0
use-g2d=1
xwayland=true
repaint-window=16
#enable-overlay-view=1
modules=screen-share.so

#[shell]
#size=1920x1080

[libinput]
enable_tap=true
touchscreen_calibrator=true
calibration_helper=/usr/bin/toradex-save-touchscreen-calibration

[output]
#name=HDMI-A-1
#mode=1920x1080@60
#transform=rotate-90
#name=DSI-1
#mode=1920x1200@60
#scale=2

#[output]
#name=HDMI-A-2
#mode=off
#       WIDTHxHEIGHT    Resolution size width and height in pixels
#       off             Disables the output
#       preferred       Uses the preferred mode
#       current         Uses the current crt controller mode
#transform=rotate-90

[screen-share]
command=/usr/bin/weston --backend=rdp-backend.so --shell=fullscreen-shell.so --no-clients-resize --rdp-tls-cert=/etc/freerdp/keys/server.crt --rdp-tls-key=/etc/freerdp/keys/server.key

When Weston is started with user and group as root, but the socket remains the original one (user = weston, group = wayland) then feh works only with root.

So it seems that only the user that Weston is started with is allowed to run XWayland applications.

Best regards,
Markus

josep.tx · February 10, 2023, 5:39pm

Hello @Mowlwurf ,
I couldn’t test feh but weston-image
I created a user torizon , added it to the groups video and wayland , copeid one picture to torizon’s home and tried to run weston-image. The result was:

verdin-imx8mm-06760561:~$ WAYLAND_DEBUG=1 weston-image  IMG_1083.JPG
failed to connect to Wayland display: Permission denied
failed to create display: Permission denied

In my case I solved it to give full permissions to the Wayland socket /run/wayland0. Possibly not the most elegant solution but it did the job.

josep.tx · February 28, 2023, 7:44am

Hello @Mowlwurf ,

Were you able to solve your issue? Do you need more assistance on our side?

Best regards,
Josep