Support adding X server to secondary groups in sesman.ini

[matt335672]

This is something that's come up a few times, related primarily to Glamor on supported platforms. Now we're looking at other types of rendering, it's perhaps become a little more pressing.

The description below can perhaps be clarified in places - feel free to add comments.

The rendering interface, on Linux at least, is provided via files such as /dev/dri/renderD128. These files allow kernel render nodes to be accessed. Here's an example from Ubuntu 22.04 (other systems may vary):-

 ls -l /dev/dri/renderD128 
crw-rw----+ 1 root render 226, 128 Oct 25 11:33 /dev/dri/renderD128

Typically, the program accessing the render node (Xorg in our case) needs some kind of privilege. In the above example, the program needs to be in the render group to open the device. With the current software set, this means the logged-in xrdp user has to be added to the render group.

This can, of course, be done via the standard UNIX groups mechanism, but then all the user's processes are part of the group, rather than just the X server.

I'm proposing adding something to sesman.ini so that sesexec can automatically add X server processes to required groups. This could be something like:-

[Xorg]
param=/usr/lib/xorg/Xorg
. . .
ExtraGroups=render

Alternatively we could add it to the [Sessions] section, or add a new section.

What do people think? Is this a good idea, or are there limitations which make it impractical?

[matt335672]

@jsorg71 , @Nexarian - if you've got time to add some thoughts on this I'd be grateful. You both know a lot more about this area than I do.

[jsorg71]

First of all, I didn't know you could do that.
But I'm not sure that is the best solution. If you want to use hardware acceleration, I think it's best that it's a manual process so the user clearly wants it.
These days many apps access the render nodes directly. Even Chromium and QT apps can access them so the user needs to be setup anyway.

[matt335672]

That's useful info - thanks.