Details
-
Bug
-
Resolution: Unresolved
-
P2: Important
-
None
-
5.12.5, 5.13.1
-
None
-
Linux/Wayland,
Description
This applies to QtWayland.Compositor usage primarily but also to any application trying to run with the eglfs platform on a VT on a common Linux workstation.
Running an application with the eglfs platform works fine - if the user running the application is part of the "input" user group.
Adding a user to that group opens a security hole for multi-user and/or multi-process systems and all major Linux Wayland compositors (weston, gnome, kwin, sway, liri) use the feature provided by logind to acquire VT session control and get handed the file descriptor from logind via dbus, without the user being part of the input group.
This affects the "libinput" plugin as it is de-facto standard on Linux distributions and the supported way to do this.
TakeControl() allows a process to take exclusive managed device access-control for that session. Only one dbus-connection can be a controller for a given session at a time. If the force argument is set (root only), an existing controller is kicked out and replaced. Otherwise, this call fails if there is already a controller. Note that this call is limited to dbus-users with the effective UID set to the User of the Session or root. ReleaseControl() drops control of a given session again. Closing the dbus-connection implicitly releases control, too. See TakeControl() for more. This also releases all devices for the controller that were requested via TakeDevice(). TakeDevice() allows a session-controller to get a file-descriptor for a specific device. Pass in the major and minor numbers of the character-device and logind will return a file-descriptor for the device. Only a limited set of device-types is currently supported (but may be extended). logind automatically mutes the file-descriptor if the session is inactive and resumes it once the session gets active again. This guarantees that a session can only access session-devices if the session is active. Note that this revoke/resume mechanism is asynchronous and may happen at any given time. This only works on devices that are attached to the seat of the given session. A process is not required to have direct access to the device-node. logind only requires you to be the active session controller (see TakeControl()). Also note that any device can only be requested once. As long as you don't release it, further TakeDevice() calls will fail. ReleaseDevice() releases a device again (see TakeDevice()). This is also implicitly done by ReleaseControl() or when closing the dbus-connection.
As Qt support a wide range of platforms, devices and use-cases it seems not right to look for a change in the qt_safe_open behavior, but when used with the libinput plugin it should be possible to opt-in for this logind based behavior to not require a user to be part of that group.
I have already tried to implement a patch (attached) for
qtbase/src/platformsupport/input/libinput/qlibinputhandler.cpp
but it is not working (libinput still returns an error being unable to create a device, but no more permission denied errors so far). Also this probably should be optional, as there could be existing Qt applications that use eglfs with libinput but do not have logind available.