Re: [PATCH 2/2] host/rootfs: weston: run as non-root

9 Dec 2025

On 12/9/25 13:24, Alyssa Ross wrote:
...
WAYLAND_DISPLAY is moved from /run/wayland to /run/wayland/wayland
because the wayland user doesn't have permission to create a file in
/run.
Signed-off-by: Alyssa Ross <hi@alyssa.is>
---
 host/rootfs/image/etc/s6-linux-init/env/WAYLAND_DISPLAY     | 2 +-
 host/rootfs/image/etc/s6-linux-init/run-image/etc/group     | 6 +++---
 host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd    | 1 +
 .../etc/s6-linux-init/run-image/service/root-terminal/run   | 2 ++
 host/rootfs/image/etc/s6-rc/weston/run                      | 3 +++
 5 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/host/rootfs/image/etc/s6-linux-init/env/WAYLAND_DISPLAY b/host/rootfs/image/etc/s6-linux-init/env/WAYLAND_DISPLAY
index bbd390c4..111060fc 100644
--- a/host/rootfs/image/etc/s6-linux-init/env/WAYLAND_DISPLAY
+++ b/host/rootfs/image/etc/s6-linux-init/env/WAYLAND_DISPLAY
@@ -1 +1 @@
-/run/wayland
+/run/wayland/wayland
diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/etc/group b/host/rootfs/image/etc/s6-linux-init/run-image/etc/group
index fe72eb76..019f5525 100644
--- a/host/rootfs/image/etc/s6-linux-init/run-image/etc/group
+++ b/host/rootfs/image/etc/s6-linux-init/run-image/etc/group
@@ -2,9 +2,9 @@ root:x:0:root
 clock:x:1:
 dialout:x:2:
 kmem:x:3:
-input:x:4:
+input:x:4:wayland
 tty:x:5:
-video:x:6:
+video:x:6:wayland
 render:x:7:
 sgx:x:8:
 audio:x:9:
@@ -13,4 +13,4 @@ disk:x:11:
 cdrom:x:12:
 tape:x:13:
 kvm:x:14:
-wayland:x:15:
+wayland:x:15:wayland
diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd b/host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd
index 29f3b252..50def56d 100644
--- a/host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd
+++ b/host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd
@@ -1 +1,2 @@
 root:x:0:0:System administrator:/:/bin/sh
+wayland:x:15:15:Wayland compositor:/:/bin/nologin
diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/root-terminal/run b/host/rootfs/image/etc/s6-linux-init/run-image/service/root-terminal/run
index 67ccfb45..86b9a1ef 100755
--- a/host/rootfs/image/etc/s6-linux-init/run-image/service/root-terminal/run
+++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/root-terminal/run
@@ -4,6 +4,8 @@
s6-ipcserver-socketbinder -a 0700 /run/root-terminal
+if { chown wayland /run/root-terminal }
+
 fdmove 1 3
 s6-ipcserverd -1P
diff --git a/host/rootfs/image/etc/s6-rc/weston/run b/host/rootfs/image/etc/s6-rc/weston/run
index 2674ec0b..7d10b5b4 100644
--- a/host/rootfs/image/etc/s6-rc/weston/run
+++ b/host/rootfs/image/etc/s6-rc/weston/run
@@ -34,10 +34,13 @@ backtick HOME {
   homeof $user
 }
+if { install -do wayland -g wayland -m 0770 /run/wayland }
+if { chown wayland /dev/tty0 /dev/tty1 }
Why chown and not setfacl?
...
redirfd -r 0 /dev/tty1
importas -i home HOME
 cd $home
 if { udevadm wait /dev/dri/card0 }
 unshare --cgroup --ipc --net --uts
+s6-setuidgid wayland
 weston -S $WAYLAND_DISPLAY
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)

    