[opensuse-support] leap 15.2 - what controls access from remote session (ssh/vnc) to local sound devices?
Hi, I am trying to play local sound initiated from remote shell (vnc and ssh). Imagine using headless PC connected to speakers. Can someone point me in the right direction as to what prevents the local audio devices being visible in vncserver on leap 15.*? All I see is dummy sound output device and I cannot make any sound through that. Thank you, Tomas -- To unsubscribe, e-mail: opensuse-support+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-support+owner@opensuse.org
El 2020-09-08 a las 16:15 -0700, tomas.kuchta.lists@gmail.com escribió:
Hi,
I am trying to play local sound initiated from remote shell (vnc and ssh). Imagine using headless PC connected to speakers.
Can someone point me in the right direction as to what prevents the local audio devices being visible in vncserver on leap 15.*?
All I see is dummy sound output device and I cannot make any sound through that.
Excuse my question, I'm a bit sleepy yet - can't take coffee, just weak tea ;-) - so there is something I don't have clear. Computer A (client) starts ssh connected to computer B (server). You start inside ssh something that should produce a sound. Where do you expect it, on A (client) or B (server)? The application is actually running in B, but is displaying in A, so the sound IMO should be generated and played on B - yet the user is in A, so he will likely not hear it. But somebody sitting at the server might hear the blast and be mightily surprised. Right? I just tested this. A: desktop, "Andor" B: laptop, "minas-tirith" cer@Andor:~> ssh -X cer@192.168.1.129 Password: Last login: Wed Sep 9 11:03:39 2020 from 192.168.1.136 Have a lot of fun... cer@minas-tirith:~> cer@minas-tirith:~> cd Music/ cer@minas-tirith:~/Music> l total 9168 drwxr-xr-x 2 cer users 288 Jul 15 2015 ./ drwxr-xr-x 131 cer users 11912 Sep 9 11:17 ../ -rw-r--r-- 1 cer users 639197 Jul 15 2015 vlc-record-2015-07-15-03h17m30s-RadioTunes - Relaxation-Aetherium - Throat Chakra (Chakra Gold).mp4 -rw-r--r-- 1 cer users 8723764 Jul 15 2015 vlc-record-2015-07-15-03h20m36s-RadioTunes - Relaxation-Aeoliah - Windsong (Love In The Wind).mp4 cer@minas-tirith:~/Music> vlc vlc-record-2015-07-15-03h20m36s-RadioTunes\ -\ Relaxation-Aeoliah\ -\ Windsong\ (Love\ In\ The\ Wind).mp4 VLC media player 3.0.9.2 Vetinari (revision 3.0.9.2-0-gd4c1aefe4d) [0000563b1e1e6050] vlcpulse audio output error: PulseAudio server connection failure: Connection refused [0000563b1e101cb0] main libvlc: Running vlc with the default interface. Use 'cvlc' to use vlc without interface. ... The vlc application displays in A, but the sound is playing on B speakers. I think this is what I would expect. I'm using 15.1 -- Cheers Carlos E. R. (from openSUSE Leap 15.1 x86_64 (Minas Tirith))
Moin, On Wed, 09 Sep 2020, 01:15:45 +0200, tomas.kuchta.lists@gmail.com wrote:
Hi,
I am trying to play local sound initiated from remote shell (vnc and ssh). Imagine using headless PC connected to speakers.
to my knowledge, VNC does not support sound devices.
Can someone point me in the right direction as to what prevents the local audio devices being visible in vncserver on leap 15.*?
All I see is dummy sound output device and I cannot make any sound through that.
RDP should be able to redirect sound devices, too. I use freerdp to connect to various Windows systems and I hear their sound on my local WS. I see there exists a freerdp-server as well, but I haven't set up one for my Linux systems - might be something to look at.
Thank you, Tomas
HTH, cheers. l8er manfred
I expected confusion, .... To clarify - I am not asking about forwarding sound through remote connection to ssh/vnc client side. I would like to figure out how to access sound devices on vnc server to play sounds on vnc server. As described in the original post - it seems that something is restricting access to local HW devices on the server. Perhaps it is not access control/restriction, but some conflict or exclusive access from something on the server side. I am not sure. Thank you, Tomas
Hi Tomas, On Wed, 09 Sep 2020, 17:29:44 +0200, Tomas Kuchta wrote:
I expected confusion, ....
To clarify - I am not asking about forwarding sound through remote connection to ssh/vnc client side.
I would like to figure out how to access sound devices on vnc server to play sounds on vnc server.
As described in the original post - it seems that something is restricting access to local HW devices on the server. Perhaps it is not access control/ restriction, but some conflict or exclusive access from something on the server side. I am not sure.
first thing which comes to mind is group "audio"; IIRC only members of the "audio" group are allowed to access sound related devices. When you're using PulseAudio, there might be an issue if it allows access for other/remote services at all. You can use "paprefs" to allow/disallow access to those devices which PA already controls on your local system.
Thank you, Tomas
HTH, cheers. l8er manfred
On 9/10/20 1:29 AM, Manfred Hollstein wrote:
Hi Tomas,
On Wed, 09 Sep 2020, 17:29:44 +0200, Tomas Kuchta wrote:
I expected confusion, ....
To clarify - I am not asking about forwarding sound through remote connection to ssh/vnc client side.
I would like to figure out how to access sound devices on vnc server to play sounds on vnc server.
As described in the original post - it seems that something is restricting access to local HW devices on the server. Perhaps it is not access control/ restriction, but some conflict or exclusive access from something on the server side. I am not sure.
first thing which comes to mind is group "audio"; IIRC only members of the "audio" group are allowed to access sound related devices. When you're using PulseAudio, there might be an issue if it allows access for other/remote services at all. You can use "paprefs" to allow/disallow access to those devices which PA already controls on your local system.
This is no longer true, now it is managed by logind, I can "ssh -X" into my desktop from my laptop launch clementine and play music through my desktop speakers, however that might also be related to me also being currently logged into that machine although they were treated as separate sessions. How to configure logind / polkit to allow non graphical users to have audio, i've only really messed with it for network. https://www.freedesktop.org/software/systemd/man/loginctl.html# -- Simon Lees (Simotek) http://simotek.net Emergency Update Team keybase.io/simotek SUSE Linux Adelaide Australia, UTC+10:30 GPG Fingerprint: 5B87 DB9D 88DC F606 E489 CEC5 0922 C246 02F0 014B
On Thu, 2020-09-10 at 16:19 +0930, Simon Lees wrote:
On 9/10/20 1:29 AM, Manfred Hollstein wrote:
Hi Tomas,
On Wed, 09 Sep 2020, 17:29:44 +0200, Tomas Kuchta wrote:
I expected confusion, ....
To clarify - I am not asking about forwarding sound through remote connection to ssh/vnc client side.
I would like to figure out how to access sound devices on vnc server to play sounds on vnc server.
As described in the original post - it seems that something is restricting access to local HW devices on the server. Perhaps it is not access control/ restriction, but some conflict or exclusive access from something on the server side. I am not sure.
first thing which comes to mind is group "audio"; IIRC only members of the "audio" group are allowed to access sound related devices. When you're using PulseAudio, there might be an issue if it allows access for other/remote services at all. You can use "paprefs" to allow/disallow access to those devices which PA already controls on your local system.
This is no longer true, now it is managed by logind, I can "ssh -X" into my desktop from my laptop launch clementine and play music through my desktop speakers, however that might also be related to me also being currently logged into that machine although they were treated as separate sessions. How to configure logind / polkit to allow non graphical users to have audio, i've only really messed with it for network.
https://www.freedesktop.org/software/systemd/man/loginctl.html#
Thank you all for the suggestions - it is resolved by adding myself to audio group. A few observations: polkit - I could not figure out the polkit in any reasonable time - even what it actually controls, how, it works, how and what to configure, even the format of its default config is not clearly/easily described. I am not even sure if it actually is active - given your suggestions - I trust that it is. paprefs - the network settings had no effect on the local sound device "invisibility". groups - adding self to audio group + logout/restart vnc/login made all the local audio devices visible to me in vncserver and the sound works. It is complete mystery to me - how I could have had access to the sound devices without being audio group member from local graphical session. Only root and audio group has access to the sound devices /dev/snd/* So, I should not have been able to make any sounds without the audio group membership: ls -l /dev/snd/* crw-rw----+ 1 root audio 116, 17 Sep 10 19:18 /dev/snd/controlC0 crw-rw----+ 1 root audio 116, 4 Sep 10 19:18 /dev/snd/controlC1 crw-rw----+ 1 root audio 116, 7 Sep 10 19:18 /dev/snd/controlC2 crw-rw----+ 1 root audio 116, 15 Sep 10 19:18 /dev/snd/hwC0D0 crw-rw----+ 1 root audio 116, 16 Sep 10 19:18 /dev/snd/hwC0D2 crw-rw----+ 1 root audio 116, 9 Sep 10 19:51 /dev/snd/pcmC0D0c crw-rw----+ 1 root audio 116, 8 Sep 10 19:51 /dev/snd/pcmC0D0p crw-rw----+ 1 root audio 116, 14 Sep 10 19:50 /dev/snd/pcmC0D10p crw-rw----+ 1 root audio 116, 10 Sep 10 19:50 /dev/snd/pcmC0D3p crw-rw----+ 1 root audio 116, 11 Sep 10 19:50 /dev/snd/pcmC0D7p crw-rw----+ 1 root audio 116, 12 Sep 10 19:50 /dev/snd/pcmC0D8p crw-rw----+ 1 root audio 116, 13 Sep 10 19:50 /dev/snd/pcmC0D9p crw-rw----+ 1 root audio 116, 3 Sep 10 19:51 /dev/snd/pcmC1D0c crw-rw----+ 1 root audio 116, 2 Sep 10 19:51 /dev/snd/pcmC1D0p crw-rw----+ 1 root audio 116, 6 Sep 10 19:51 /dev/snd/pcmC2D0c crw-rw----+ 1 root audio 116, 5 Sep 10 19:51 /dev/snd/pcmC2D0p crw-rw----+ 1 root audio 116, 1 Sep 10 19:18 /dev/snd/seq crw-rw----+ 1 root audio 116, 33 Sep 10 19:18 /dev/snd/timer If someone could explain this in a few sentences - I would really appreciate it. Thanks again, Tomas -- To unsubscribe, e-mail: opensuse-support+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-support+owner@opensuse.org
On 9/11/20 10:05 AM, tomas.kuchta.lists@gmail.com wrote:
If someone could explain this in a few sentences - I would really appreciate it.
https://wiki.ubuntu.com/Audio/TheAudioGroup except instead of using consolekit it now uses parts of the systemd/logind stack. In short a user who is logged in graphically will gain access to audio / keyboard / mouse / display devices. A user logged in remotely should generally not have access as a security feature. -- Simon Lees (Simotek) http://simotek.net Emergency Update Team keybase.io/simotek SUSE Linux Adelaide Australia, UTC+10:30 GPG Fingerprint: 5B87 DB9D 88DC F606 E489 CEC5 0922 C246 02F0 014B
On Fri, 2020-09-11 at 12:52 +0930, Simon Lees wrote:
On 9/11/20 10:05 AM, tomas.kuchta.lists@gmail.com wrote:
If someone could explain this in a few sentences - I would really appreciate it.
https://wiki.ubuntu.com/Audio/TheAudioGroup except instead of using consolekit it now uses parts of the systemd/logind stack. In short a user who is logged in graphically will gain access to audio / keyboard / mouse / display devices. A user logged in remotely should generally not have access as a security feature.
Thank you Simon - I am starting to connect the dots - this is real deep rabbit hole though. Carlos mentioned seats - I thought that it is just bad translation for user account - I am slowly starting to remember the old mainframes and Vax's and their system topology. I will dig little deeper - though - I am not sure that this whole thing is meant to be dynamically configurable by user rather than rewriting sddm or systemd or .... to implement assigning seat to vnc session when there is no active local session with the seat need + some sort of seat switching or moving HW around the seats with priorities ..... There seems to be handful of random people trying to figure this out every decade. There is a lot of info about introspection API - not so much how to control it beside header files and programming interface description to D.Bus. Maybe, creating a seat for VNC session and assigning a sound card to it is as simple as adding some magic d.Bus calls to VNC xstartup. My early guess is that I will not be able to come up with anything better than the audio group membership with all its possible side effects - within a day or two before I giving up. Have a great weekend, Tomas -- To unsubscribe, e-mail: opensuse-support+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-support+owner@opensuse.org
On 11/09/2020 09.46, tomas.kuchta.lists@gmail.com wrote:
On Fri, 2020-09-11 at 12:52 +0930, Simon Lees wrote:
On 9/11/20 10:05 AM, tomas.kuchta.lists@gmail.com wrote:
If someone could explain this in a few sentences - I would really appreciate it.
https://wiki.ubuntu.com/Audio/TheAudioGroup except instead of using consolekit it now uses parts of the systemd/logind stack. In short a user who is logged in graphically will gain access to audio / keyboard / mouse / display devices. A user logged in remotely should generally not have access as a security feature.
Thank you Simon - I am starting to connect the dots - this is real deep rabbit hole though.
Carlos mentioned seats - I thought that it is just bad translation for user account - I am slowly starting to remember the old mainframes and Vax's and their system topology.
No, it refers to the user that is seated at the machine. It is assumed that the user that has the currently active local session has the seat. ...
My early guess is that I will not be able to come up with anything better than the audio group membership with all its possible side effects - within a day or two before I giving up.
Unless somebody documents (doc.opensuse.org or wiki.opensuse.org) how it is actually done and how can we modify it, the groups is the only practical way. And not always, because in my machine I want root to make sounds from cron scripts, and he gets no permissions. -- Cheers / Saludos, Carlos E. R. (from 15.1 x86_64 at Telcontar)
11.09.2020 13:31, Carlos E. R. пишет:
Carlos mentioned seats - I thought that it is just bad translation for user account - I am slowly starting to remember the old mainframes and Vax's and their system topology.
No, it refers to the user that is seated at the machine. It is assumed that the user that has the currently active local session has the seat.
No, "seat" refers to collection hardware that is considered to belong to the same "workplace". I.e. monitor, keyboard, mouse.
On Fri, 11 Sep 2020 22:30:19 +0300 Andrei Borzenkov <arvidjaar@gmail.com> wrote:
11.09.2020 13:31, Carlos E. R. пишет:
Carlos mentioned seats - I thought that it is just bad translation for user account - I am slowly starting to remember the old mainframes and Vax's and their system topology.
No, it refers to the user that is seated at the machine. It is assumed that the user that has the currently active local session has the seat.
No, "seat" refers to collection hardware that is considered to belong to the same "workplace". I.e. monitor, keyboard, mouse.
Exactly, although in this context it might be important to mention the sound hardware too... -- To unsubscribe, e-mail: opensuse-support+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-support+owner@opensuse.org
On 11/09/2020 23.27, Dave Howorth wrote:
On Fri, 11 Sep 2020 22:30:19 +0300 Andrei Borzenkov <arvidjaar@gmail.com> wrote:
11.09.2020 13:31, Carlos E. R. пишет:
Carlos mentioned seats - I thought that it is just bad translation for user account - I am slowly starting to remember the old mainframes and Vax's and their system topology.
No, it refers to the user that is seated at the machine. It is assumed that the user that has the currently active local session has the seat.
No, "seat" refers to collection hardware that is considered to belong to the same "workplace". I.e. monitor, keyboard, mouse.
Exactly, although in this context it might be important to mention the sound hardware too...
Well, no: the person that has the seat is given the sound as well :-) And the DVD, the sticks, video... -- Cheers / Saludos, Carlos E. R. (from 15.1 x86_64 at Telcontar)
On Fri, 11 Sep 2020 23:48:32 +0200 "Carlos E. R." <robin.listas@telefonica.net> wrote:
On 11/09/2020 23.27, Dave Howorth wrote:
On Fri, 11 Sep 2020 22:30:19 +0300 Andrei Borzenkov <arvidjaar@gmail.com> wrote:
11.09.2020 13:31, Carlos E. R. пишет:
Carlos mentioned seats - I thought that it is just bad translation for user account - I am slowly starting to remember the old mainframes and Vax's and their system topology.
No, it refers to the user that is seated at the machine. It is assumed that the user that has the currently active local session has the seat.
No, "seat" refers to collection hardware that is considered to belong to the same "workplace". I.e. monitor, keyboard, mouse.
Exactly, although in this context it might be important to mention the sound hardware too...
Well, no: the person that has the seat is given the sound as well :-) And the DVD, the sticks, video...
Exactly. The sound hardware is part of the 'seat'. I should have added a smiley as well as the ... :) -- To unsubscribe, e-mail: opensuse-support+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-support+owner@opensuse.org
On 9/11/20 5:16 PM, tomas.kuchta.lists@gmail.com wrote:
On Fri, 2020-09-11 at 12:52 +0930, Simon Lees wrote:
On 9/11/20 10:05 AM, tomas.kuchta.lists@gmail.com wrote:
If someone could explain this in a few sentences - I would really appreciate it.
https://wiki.ubuntu.com/Audio/TheAudioGroup except instead of using consolekit it now uses parts of the systemd/logind stack. In short a user who is logged in graphically will gain access to audio / keyboard / mouse / display devices. A user logged in remotely should generally not have access as a security feature.
Thank you Simon - I am starting to connect the dots - this is real deep rabbit hole though.
Carlos mentioned seats - I thought that it is just bad translation for user account - I am slowly starting to remember the old mainframes and Vax's and their system topology.
I will dig little deeper - though - I am not sure that this whole thing is meant to be dynamically configurable by user rather than rewriting sddm or systemd or .... to implement assigning seat to vnc session when there is no active local session with the seat need + some sort of seat switching or moving HW around the seats with priorities .....
There seems to be handful of random people trying to figure this out every decade. There is a lot of info about introspection API - not so much how to control it beside header files and programming interface description to D.Bus. Maybe, creating a seat for VNC session and assigning a sound card to it is as simple as adding some magic d.Bus calls to VNC xstartup.
My early guess is that I will not be able to come up with anything better than the audio group membership with all its possible side effects - within a day or two before I giving up.
If its a signal user machine or you trust all the users that you want to give access to the audio group then there are no downsides to adding the user to the audio group. The defaults these days is users shouldn't have to because they will login normally. The reason it is setup like this is for places like universities where multiple users may share the same computer in a lab but you only want the one that is actually sitting at the desk in front of the PC to have access (This is the idea of the user with the seat). Atleast when I was at uni it was possible to ssh into a imac that someone else was sitting at and play music on there computer, they couldn't do anything to stop the music this is not ideal so the default configuration prevents it, in your case you want it for good reason hence needing to do something non standard. -- Simon Lees (Simotek) http://simotek.net Emergency Update Team keybase.io/simotek SUSE Linux Adelaide Australia, UTC+10:30 GPG Fingerprint: 5B87 DB9D 88DC F606 E489 CEC5 0922 C246 02F0 014B
Moin, On Fri, 11 Sep 2020, 02:35:39 +0200, tomas.kuchta.lists@gmail.com wrote:
[...] Thank you all for the suggestions - it is resolved by adding myself to audio group.
Great to hear!
[...] groups - adding self to audio group + logout/restart vnc/login made all the local audio devices visible to me in vncserver and the sound works.
It is complete mystery to me - how I could have had access to the sound devices without being audio group member from local graphical session.
Only root and audio group has access to the sound devices /dev/snd/* So, I should not have been able to make any sounds without the audio group membership:
ls -l /dev/snd/* crw-rw----+ 1 root audio 116, 17 Sep 10 19:18 /dev/snd/controlC0 crw-rw----+ 1 root audio 116, 4 Sep 10 19:18 /dev/snd/controlC1 crw-rw----+ 1 root audio 116, 7 Sep 10 19:18 /dev/snd/controlC2 crw-rw----+ 1 root audio 116, 15 Sep 10 19:18 /dev/snd/hwC0D0 crw-rw----+ 1 root audio 116, 16 Sep 10 19:18 /dev/snd/hwC0D2 crw-rw----+ 1 root audio 116, 9 Sep 10 19:51 /dev/snd/pcmC0D0c crw-rw----+ 1 root audio 116, 8 Sep 10 19:51 /dev/snd/pcmC0D0p crw-rw----+ 1 root audio 116, 14 Sep 10 19:50 /dev/snd/pcmC0D10p crw-rw----+ 1 root audio 116, 10 Sep 10 19:50 /dev/snd/pcmC0D3p crw-rw----+ 1 root audio 116, 11 Sep 10 19:50 /dev/snd/pcmC0D7p crw-rw----+ 1 root audio 116, 12 Sep 10 19:50 /dev/snd/pcmC0D8p crw-rw----+ 1 root audio 116, 13 Sep 10 19:50 /dev/snd/pcmC0D9p crw-rw----+ 1 root audio 116, 3 Sep 10 19:51 /dev/snd/pcmC1D0c crw-rw----+ 1 root audio 116, 2 Sep 10 19:51 /dev/snd/pcmC1D0p crw-rw----+ 1 root audio 116, 6 Sep 10 19:51 /dev/snd/pcmC2D0c crw-rw----+ 1 root audio 116, 5 Sep 10 19:51 /dev/snd/pcmC2D0p crw-rw----+ 1 root audio 116, 1 Sep 10 19:18 /dev/snd/seq crw-rw----+ 1 root audio 116, 33 Sep 10 19:18 /dev/snd/timer
If someone could explain this in a few sentences - I would really appreciate it.
Notice the + at the end of the permissions! It's an indication that those files have file ACLs assigned. I guess some udev rule is setting them up. To see the content of the ACL you can use 'getfacl': # getfacl /dev/snd/seq getfacl: Removing leading '/' from absolute path names # file: dev/snd/seq # owner: root # group: audio user::rw- user:manfred:rw- group::rw- mask::rw- other::--- As you can see, the user logged in at the WS has been added with "rw" access even though the file is owned by root:audio.
Thanks again, Tomas
HTH, cheers. l8er manfred
On 11/09/2020 02.35, tomas.kuchta.lists@gmail.com wrote:
On Thu, 2020-09-10 at 16:19 +0930, Simon Lees wrote:
Only root and audio group has access to the sound devices /dev/snd/* So, I should not have been able to make any sounds without the audio group membership:
ls -l /dev/snd/* crw-rw----+ 1 root audio 116, 17 Sep 10 19:18 /dev/snd/controlC0
............^ Notice that '+'. There are ACLs. Access Control Lists.
If someone could explain this in a few sentences - I would really appreciate it.
-- Cheers / Saludos, Carlos E. R. (from 15.1 x86_64 at Telcontar)
El 2020-09-09 a las 08:29 -0700, Tomas Kuchta escribió:
I expected confusion, ....
To clarify - I am not asking about forwarding sound through remote connection to ssh/vnc client side. I would like to figure out how to access sound devices on vnc server to play sounds on vnc server.
As described in the original post - it seems that something is restricting access to local HW devices on the server. Perhaps it is not access control/restriction, but some conflict or exclusive access from something on the server side. I am not sure.
It works if the user in the ssh session is the same user as has the seat in the server. -- Cheers Carlos E. R. (from openSUSE Leap 15.1 x86_64 (Minas Tirith))
participants (7)
-
Andrei Borzenkov -
Carlos E. R. -
Dave Howorth -
Manfred Hollstein -
Simon Lees -
Tomas Kuchta -
tomas.kuchta.lists@gmail.com