From 750ff1eab200946fb5ed90e1edd1437157e0fefa Mon Sep 17 00:00:00 2001 From: Mitchell R Date: Fri, 22 May 2026 23:35:40 +0200 Subject: [PATCH] fix(terminal): plain bash as bfkiosk, no sudo/root + journal via group --- .../01-install-kiosk/01-run-chroot.sh | 6 +-- kiosk/src/remote_debug.rs | 44 +++---------------- 2 files changed, 7 insertions(+), 43 deletions(-) diff --git a/deploy/pi-gen/stage-betterframe-client/01-install-kiosk/01-run-chroot.sh b/deploy/pi-gen/stage-betterframe-client/01-install-kiosk/01-run-chroot.sh index 0a91a77..782cfe6 100755 --- a/deploy/pi-gen/stage-betterframe-client/01-install-kiosk/01-run-chroot.sh +++ b/deploy/pi-gen/stage-betterframe-client/01-install-kiosk/01-run-chroot.sh @@ -7,16 +7,12 @@ if ! id -u bfkiosk >/dev/null 2>&1; then useradd -m -s /usr/sbin/nologin bfkiosk fi -for grp in video render input audio; do +for grp in video render input audio systemd-journal; do if getent group "$grp" >/dev/null; then usermod -a -G "$grp" bfkiosk fi done -# --- Passwordless sudo for bfkiosk (remote terminal runs as root) --- -echo 'bfkiosk ALL=(ALL) NOPASSWD: ALL' > /etc/sudoers.d/betterframe-kiosk -chmod 440 /etc/sudoers.d/betterframe-kiosk - # --- Binary --- install -d -o bfkiosk -g bfkiosk -m 755 /opt/betterframe/kiosk install -m 755 /tmp/bf-files/betterframe-kiosk /opt/betterframe/kiosk/betterframe-kiosk diff --git a/kiosk/src/remote_debug.rs b/kiosk/src/remote_debug.rs index 6a6c66a..88f0722 100644 --- a/kiosk/src/remote_debug.rs +++ b/kiosk/src/remote_debug.rs @@ -121,21 +121,11 @@ impl JournalStream { let kill_clone = kill.clone(); std::thread::spawn(move || { - // Use systemd-run to escape NoNewPrivileges and read journal as root. - let mut child = match Command::new("systemd-run") - .args([ - "--pipe", "--quiet", "--service-type=exec", - "--property=User=root", - "journalctl", "-u", "betterframe-kiosk", "-f", "--no-pager", "-o", "short-iso", "-n", "50", - ]) + let mut child = match Command::new("journalctl") + .args(["-f", "--no-pager", "-o", "short-iso", "-n", "50"]) .stdout(Stdio::piped()) .stderr(Stdio::piped()) .spawn() - .or_else(|_| Command::new("journalctl") - .args(["-f", "--no-pager", "-o", "short-iso", "-n", "50"]) - .stdout(Stdio::piped()) - .stderr(Stdio::piped()) - .spawn()) { Ok(c) => c, Err(e) => { @@ -223,36 +213,14 @@ pub struct TerminalSession { impl TerminalSession { pub fn spawn() -> Result<(Self, std::process::ChildStdout, std::process::ChildStderr), String> { - // The kiosk runs under NoNewPrivileges=yes (WebKit bwrap needs - // it), which blocks sudo/nsenter from this process tree. Use - // systemd-run to spawn a SEPARATE service unit that runs bash - // as root in its own process tree — not a child of the kiosk. - // The --pipe flag connects stdin/stdout/stderr to our process. - let mut child = Command::new("systemd-run") - .args([ - "--pipe", // connect stdio to us - "--quiet", // suppress service info on stderr - "--service-type=exec", - "--property=User=root", - "-E", "TERM=xterm-256color", - "-E", "HOME=/root", - "bash", "--login", - ]) + let mut child = Command::new("bash") + .args(["--login"]) .stdin(Stdio::piped()) .stdout(Stdio::piped()) .stderr(Stdio::piped()) + .env("TERM", "xterm-256color") .spawn() - .or_else(|_| { - // Fallback: plain bash as bfkiosk (limited but something). - Command::new("bash") - .args(["--login"]) - .stdin(Stdio::piped()) - .stdout(Stdio::piped()) - .stderr(Stdio::piped()) - .env("TERM", "xterm-256color") - .spawn() - }) - .map_err(|e| format!("shell spawn: {e}"))?; + .map_err(|e| format!("bash spawn: {e}"))?; let stdout = child.stdout.take().ok_or("no stdout")?; let stderr = child.stderr.take().ok_or("no stderr")?;