Run Qt application as non-root user

I am attempting to setup my Qt application, which will run in kiosk mode under Yocto Linux, to run from a non-root user for security reasons. I am working through issues related to weston-init creating the weston.service to run as root. I would think most projects would need the UI application to run from a non-root user. Is there a standard way to setup the build for this purpose?

My tdx-info is below.

root@verdin-imx8mp-15402814:~# tdx-info

Software summary

Bootloader: U-Boot
Kernel version: 6.6.23-7.0.0-devel-g134217cee88c #1 SMP PREEMPT Wed Sep 25 11:25:16 UTC 2024
Kernel command line: root=PARTUUID=f6c28cf8-01 ro rootwait console=tty1 console=ttymxc2
Distro name: NAME=“TDX Wayland with XWayland”
Distro version: VERSION_ID=7.0.0-devel-20241219010323-build.0
Hostname: verdin-imx8mp-15402814

Hardware info

HW model: Toradex Verdin iMX8M Plus on Verdin Development Board
Toradex version: 0063 V1.1B
Serial number: 15402814
Processor arch: aarch64

Hi, I’m the Toradex AI Assistant. The Toradex Support team will follow up with you shortly!

Did you like my answer?

:+1: :-1:


Hello!

To run Qt applications as a non-root user in kiosk mode on your Verdin iMX8M Plus with Yocto Linux and Wayland/XWayland, you have several options:

  1. Qt Development Options:

    • You can use the Qt for Device Creation commercial offering or build with OpenEmbedded layers. These methods allow you to tailor your Qt environment to your specific needs.
    • Alternatively, consider using the Qt Debian Container for Torizon, which simplifies the development process by leveraging containerization.
  2. Running Qt Applications as Non-Root:

    • Adjusting Wayland socket permissions might be necessary, but it’s crucial to handle this securely. Instead of directly changing socket permissions, configure your system to manage permissions appropriately.
  3. Production Setup Recommendations:

    • Building a custom image using the Yocto Project/OpenEmbedded can help you configure user permissions and access controls effectively.
    • Torizon OS offers a container-based approach that enhances security through isolation, which can be beneficial for your use case.

For more detailed guidance, you might explore the Toradex Developer Center and Community forums, which can provide additional insights and examples from other users.

If you have further questions or need more specific advice, feel free to ask!

Best regards,
Toradex AI Assistant

Could you please provide details about the problems you encountered while trying to run a Qt application as a non-root user?
As dor

Ensure that the device nodes associated with your camera and DMA buffer are accessible to the video group

Hi @alex.tx,

I was able to get rid of the error concerning the call to imx_dma_buffer_allocate by including /dev/dma_heap in the video group. My question was more general because there is a comment in a Toradex weston-init.bbappend (meta-toradex-bsp-common) as follows:

    # We need run weston systemd service with root user, or else it could not
    # access input devices and GPU acceleration hardwares

I had needed to create my own weston-init.bbappend to override that document in order to run my Qt application as a non-root user. I was concerned I was doing something which was not intended and would ultimately fail to work. I now have the application running with video under a non-root user so I am probably fine. Please let me know if it seems I am doing something unintended.

Thanks

The comment itself comes directly from NXP’s BSP. At the time we added this, we weren’t able to run Qt as the user ‘weston,’ so we copied their solution. If you are able to run Qt as a less privileged user, we see no reason preventing you from modifying the systemd service to suit your needs.

1 Like