Running Wayland Clients as Non-Root Users on Yocto

Summary

Many embedded Linux systems use a Wayland compositor like Weston for window management. Qt applications act as Wayland clients. Weston composes the windows of the Qt applications into a single window and displays it on a screen. I still have to find a Yocto layer that does not start Qt applications as root. This violates the cybersecurity principle that every application should only run with the least privileges possible. Let us figure out how to run Qt applications as non-root users and make our system more secure. Context We build our embedded Linux system with Yocto (Yocto 5.0 “scarthgap” at the time of writing). The system uses the default Wayland compositor Weston to show one or more Qt applications – the Wayland clients – on a display. From the Qt example applications in the meta-boot2qt layer or in other vendor BSPs, we might have cobbled together a systemd service unit b4-simple-app.service like this: [Service] Type=simple User=root Environment=XDG_RUNTIME_DIR=/run/user/0 Environment=WAYLAND_DISPLAY=/run/wayland-0 Environment=QT_QPA_PLATFORM=wayland-egl ExecStart=/usr/bin/B4SimpleApp This service starts the Qt application B4SimpleApp as root. I always felt a bit uneasy about this solution, but it worked and was suggested by experts. Anyway, customers didn’t want to pay for anything better. However, the arrival of the EU Cyber Resilience Act (EU CRA) turned the tables. Running applications as root violates the cybersecurity principle of least privilege – and the EU CRA. Why are Wayland clients run as root? The reason are the permissions of the socket file /run/wayland-0, which the Wayland server and client use to communicate with each other. torizon@verdin-imx8mp-06965633:~$ sudo ls -l /run/wayland-0 srwxr-xr-x 1 weston weston 0 Aug 10 12:28 /run/wayland-0 If the Qt application is started as a non-root user other than weston – say, torizon with user and group ID 1000, starting the Qt application B4SimpleApp will fail with the error B4SimpleApp[817]: Failed to...