Running Wayland Clients as Non-Root Users on Yocto
10 days ago
- #Embedded Linux
- #Wayland
- #Cybersecurity
- Embedded Linux systems often use Weston as a Wayland compositor for window management.
- Qt applications typically run as Wayland clients, with Weston composing their windows into a single display.
- Running Qt applications as root violates the cybersecurity principle of least privilege, a concern highlighted by the EU Cyber Resilience Act (EU CRA).
- The issue stems from permissions on the Wayland socket file `/run/wayland-0`, which restricts communication to root or the `weston` user.
- Two potential solutions are proposed: running applications as the `weston` user or adjusting socket permissions to include other users.
- A detailed approach involves modifying Yocto recipes to ensure Weston and Qt applications run as non-root users, with static user IDs for consistency.
- The solution includes changes to `weston.service`, `weston.socket`, and the creation of an environment file `/etc/default/weston-client` for shared settings.
- This ensures Wayland clients and server use the same socket file name, enhancing system security and compliance with EU CRA.