GDM and pulseaudio in Archlinux
Aug 11, 2017
4 minute read

Recently I decided to migrate to GNOME 3 after 4 years of using Cinnamon as my desktop environment. I like Cinnamon but unfortunately it will never get the amount of polish and more importantly developer attention as GNOME currently does. The transition in general was smooth and after tinkering for an hour or so with some extensions I was satisfied with the environment and the general workflow; much better than my first experience with GNOME when it first rolled out.

If you sense a “but…” coming you are correct. Apart from Cinnamon I was also using LightDM as display manager and I initially saw no reason to migrate it to GDM since it was doing its one job, namely logging you into the damn system, without any hiccups, for oh so many years now. However, for a reason I cannot fathom why, GNOME needs GDM and only GDM in order to be able to lock your desktop. After seeing no other way to make locking work with LightDM and GNOME I begrudgingly installed GDM, a downgrade from LightDM—to say the least. GDM is by far the most inflexible piece of software in desktop Linux. There are a lot of thing that I dislike about GDM but this is not a rant, so…

The issue with pulseaudio and mpd

If you want to use a global mpd instance with Pulseaudio then you probably have to follow the details on how to allow connections from the systemd mpd instance to the pulseaudio daemon that is usually spawned by the desktop environent or systemd user service. So by just adding

load-module module-native-protocol-tcp auth-ip-acl=

to /etc/pulse/ you allow connections from applications running on localhost. You could then specify the pulseaudio server address on your mpd.conf like so

audio_output {
  type  "pulse"
  name  "Pulseaudio"
  server ""

The whole process even if it is arduous, it makes sense, since you need somehow to limit access to the user’s pulseaudio from other users (in this case mpd, the user MPD is running under). What does not make sense, however, is that GDM launches its own instance of pulseaudio that effectively masks your process since it uses its own for configuration. Now, I understand why GDM might need access to your sound hardware especially for screen readers. The thing is there is no sane way to relinquish control of pulseaudio once the user is logged in. The root of the problem is obvious. The security model of pulseaudio effectively prohibits it from running as a system-wide service and we have to resort to tedious hacks to get it working as one would expect in several cases. Now you could just dig through the mud of the UNDOCUMENTED GDM configuration to find out how to prevent it from spawning or allowing remote connections but since in my case I do not really need sound from my login manager I might as well go with the nuclear option: prevent GDM from executing pulseaudio.

The workaround

Thankfully most linux filesystems allow Access Control Lists (ACL for short) so you can have finely tuned permissions on your files. As such we can easily remove the executable bit for the gdm user.

sudo setfacl -m u:gdm:r /usr/bin/pulseaudio

The above allows only read access (r) to /usr/bin/pulseaudio but no execute access (x). So in effect the gdm user can’t execute pulseaudio at all.

To accomodate for future updates of pulseaudio you can also pop in a pacman hook into /usr/share/libalpm/hooks/ which will reapply the setfacl command when /usr/bin/pulseaudio is installed or updated

Operation = Install
Operation = Upgrade
Type = File
Target = usr/bin/pulseaudio

Description = Preventing gdm from starting pulseaudio...
Exec = /usr/bin/setfacl -m u:gdm:r /usr/bin/pulseaudio
When = PostTransaction

The problem with GDM and GNOME in general is that it makes too many damn assumptions for what you want to do. This is good in general for newbies but the moment you walk off the beaten path there are heaps of undocumented configuration you have to dig through to make your system behave. Until the next update, when GNOME will remove yet another option from dconf to screw you. I wish there was a decent desktop environment that would cater to power users as well while being actually usable at the same time. I suppose I could go the “roll your own” way with openbox or some other lightweight window manager, but I feel so tired of tinkering at times, I just want the damn thing to work so that I can work too.