GDM and pulseaudio in Archlinux
Recently I decided to migrate to GNOME 3 after 4 years of using Cinnamon as my desktop environment. I like Cinnamon but unfortunately it will never get the amount of polish and more importantly developer attention as GNOME currently does. The transition in general was smooth and after tinkering for an hour or so with some extensions I was satisfied with the environment and the general workflow; much better than my first experience with GNOME when it first rolled out.
If you sense a “but…” coming you are correct. Apart from Cinnamon I was also using LightDM as display manager and I initially saw no reason to migrate it to GDM since it was doing its one job, namely logging you into the damn system, without any hiccups, for oh so many years now. However, for a reason I cannot fathom why, GNOME needs GDM and only GDM in order to be able to lock your desktop. After seeing no other way to make locking work with LightDM and GNOME I begrudgingly installed GDM, a downgrade from LightDM—to say the least. GDM is by far the most inflexible piece of software in desktop Linux. There are a lot of thing that I dislike about GDM but this is not a rant, so…
The issue with pulseaudio and mpd
If you want to use a global mpd instance with Pulseaudio then you probably have to follow the details on how to allow connections from the systemd mpd instance to the pulseaudio daemon that is usually spawned by the desktop environent or systemd user service. So by just adding
load-module module-native-protocol-tcp auth-ip-acl=127.0.0.1
to /etc/pulse/default.pa you allow connections from applications running on
localhost. You could then specify the pulseaudio server address on your mpd.conf
like so
audio_output {
type "pulse"
name "Pulseaudio"
server "127.0.0.1"
}
The whole process even if it is arduous, it makes sense, since you need somehow
to limit access to the user’s pulseaudio from other users (in this case mpd,
the user MPD is running under). What does not make sense, however, is that GDM
launches its own instance of pulseaudio that effectively masks your process
since it uses its own default.pa for configuration. Now, I understand why GDM
might need access to your sound hardware especially for screen readers. The
thing is there is no sane way to relinquish control of pulseaudio once the user
is logged in. The root of the problem is obvious. The security model of
pulseaudio effectively prohibits it from running as a system-wide service and
we have to resort to tedious hacks to get it working as one would expect in
several cases. Now you could just dig through the mud of the UNDOCUMENTED
GDM configuration to find out how to prevent it from spawning or allowing
remote connections but since in my case I do not really need sound from my
login manager I might as well go with the nuclear option: prevent GDM from
executing pulseaudio.
The workaround
Thankfully most linux filesystems allow Access Control Lists (ACL for short) so
you can have finely tuned permissions on your files. As such we can easily remove
the executable bit for the gdm user.
sudo setfacl -m u:gdm:r /usr/bin/pulseaudio
The above allows only read access (r) to /usr/bin/pulseaudio but no execute
access (x). So in effect the gdm user can’t execute pulseaudio at all.
To accomodate for future updates of pulseaudio you can also pop in a pacman hook
into /usr/share/libalpm/hooks/ which will reapply the setfacl command when
/usr/bin/pulseaudio is installed or updated
[Trigger]
Operation = Install
Operation = Upgrade
Type = File
Target = usr/bin/pulseaudio
[Action]
Description = Preventing gdm from starting pulseaudio...
Exec = /usr/bin/setfacl -m u:gdm:r /usr/bin/pulseaudio
When = PostTransaction
The problem with GDM and GNOME in general is that it makes too many damn assumptions for what you want to do. This is good in general for newbies but the moment you walk off the beaten path there are heaps of undocumented configuration you have to dig through to make your system behave. Until the next update, when GNOME will remove yet another option from dconf to screw you. I wish there was a decent desktop environment that would cater to power users as well while being actually usable at the same time. I suppose I could go the “roll your own” way with openbox or some other lightweight window manager, but I feel so tired of tinkering at times, I just want the damn thing to work so that I can work too.
