Fix XFCE execution for non-root local users via xfce-start (#3)

frangarb · web-flow · commit 5fa9d1c907c2 · 2026-06-15T14:12:53.000+05:30
* ​Fix XFCE execution and DBus panics for non-root local users via xfce-start

### Description
**The Problem:**
Setting XFCE_USER to a non-root user fails to initialize the desktop session due to a cascade of three conflicts:
 1. **Socket Access Denial:** startxfce4 triggers a Permission denied error because the X11 and PulseAudio sockets are strictly root-owned.
 2. **VirGL Crash (Signal 134):** Dropping privileges via su -l strips essential container environment variables. This severs the VirGL/Termux-X11 bridge and immediately aborts the process.
 3. **DBus Panics:** Using su -p to preserve graphics variables inadvertently retains HOME=/root and XDG_RUNTIME_DIR=/run/user/0. Lacking write access to /root/, the standard user triggers severe GLib-CRITICAL DBus errors and fails to build the desktop.
**The Solution:**
This patch refactors /usr/local/bin/xfce-start to securely transition the execution environment without breaking hardware acceleration bridges:
 * **Targeted Socket Handoff:** Explicitly assigns ownership (chown) of the X11, PulseAudio, VirGL sockets, and .X5-lock file to the target user.
 * **Environment Preservation:** Transitions from su -l to su -p to retain vital container graphics and audio variables.
 * **Dynamic Path Override:** Intercepts and dynamically rewrites $HOME and $XDG_RUNTIME_DIR based on the target UID, ensuring a clean DBus initialization isolated from /root.
* **Code Cleanup (Whitelist Deprecation):** Because su -p natively preserves the required container environment, explicitly building and passing a $WHITELIST string via the -w flag is no longer necessary. The obsolete sed parsing logic for /run/droidspaces.env has been safely removed to streamline the script.
 * **Zero Regressions:** Fully preserves the default root fallback path for deployments not utilizing XFCE_USER.
### Tested Environments
**Android Target:**
 * **Device:** Samsung Galaxy S21+
 * **SoC:** Exynos 2100
 * **Android Version:** 16
 * **Kernel Version:** 5.4.302-Floppy-v1.1.2-KN-g9719914d4da2
**Linux Target (Container):**
 * **Distribution:** Debian 13 (Trixie)
 * **Architecture:** ARM64
 * **Init System:** systemd
### Regression Check
 * [X] Default root execution path functions without modification.
 * [X] XFCE launches successfully as root when XFCE_USER is empty or unset.
 * [X] No modern/restricted kernel syscalls are utilized (fully 3.10 compliant).

* Clean up comment in xfce-start script

Removed unnecessary comment about whitelist in environment variable parsing.

* Using su -l with dynamic whitelist

* XDG_RUNTIME_DIR initialization

- Creates and chmods `/run/user/$(id -u)` (mode `0700`) inside the `su` subshell for non-root users, and `/run/user/0` for the root fallback, satisfying the XDG Base Directory Specification and preventing DBus/XFCE session errors.

* ## Improve XDG_RUNTIME_DIR handling in xfce-start

USER_UID and TARGET_XDG resolved before su
chown "$XFCE_USER" (owner only, no group assumption)
TARGET_XDG interpolated into the subshell command string rather than relying on id -u inside it
mkdir/chmod moved before socket handoff for logical ordering
diff --git a/scripts/xfce-start b/scripts/xfce-start
@@ -3,24 +3,54 @@
 ENV_FILE=/run/droidspaces.env
 CONFIG=/run/droidspaces/container.config
 
+# 1. Parse Initial Environment Variables
 if [ -f "$ENV_FILE" ]; then
     . "$ENV_FILE"
-    WHITELIST=$(sed -n 's/^export \([A-Za-z_][A-Za-z0-9_]*\)=.*/\1/p' "$ENV_FILE" | tr '\n' ',' | sed 's/,$//')
 else
     export DISPLAY=:5
-    WHITELIST=DISPLAY
     if grep -q 'enable_pulseaudio=1' "$CONFIG" 2>/dev/null; then
         export PULSE_SERVER=unix:/tmp/.pulse-socket
-        WHITELIST="$WHITELIST,PULSE_SERVER"
     fi
     if grep -q 'enable_virgl=1' "$CONFIG" 2>/dev/null; then
         export GALLIUM_DRIVER=virpipe
-        WHITELIST="$WHITELIST,GALLIUM_DRIVER"
     fi
 fi
 
-if [ -n "$XFCE_USER" ]; then
-    exec su -l -w "$WHITELIST" "$XFCE_USER" -c 'exec /usr/bin/startxfce4'
+# 2. Check User and Launch Desktop
+if [ -n "$XFCE_USER" ] && [ "$XFCE_USER" != "root" ]; then
+
+    # Fetch the target user's numeric UID and prepare XDG runtime dir
+    USER_UID=$(id -u "$XFCE_USER")
+    TARGET_XDG="/run/user/$USER_UID"
+
+    # Unconditionally create/heal the runtime directory and force correct permissions
+    mkdir -p "$TARGET_XDG"
+    chown "$XFCE_USER" "$TARGET_XDG"
+    chmod 700 "$TARGET_XDG"
+
+    # Grant ownership of sockets and X11 lock file to the target user
+    [ -S /tmp/.X11-unix/X5 ] && chown "$XFCE_USER" /tmp/.X11-unix/X5
+    [ -f /tmp/.X5-lock ]      && chown "$XFCE_USER" /tmp/.X5-lock
+    [ -S /tmp/.pulse-socket ] && chown "$XFCE_USER" /tmp/.pulse-socket
+    [ -S /tmp/.virgl_test ]   && chown "$XFCE_USER" /tmp/.virgl_test
+
+    # Build dynamic env whitelist, excluding root-specific or session-poisoning vars
+    SAFE_ENV=$(env | awk -F= '{print $1}' \
+        | grep -vE '^(HOME|USER|LOGNAME|PWD|SHELL|XDG_RUNTIME_DIR|MAIL|SHLVL|_)$' \
+        | tr '\n' ',' | sed 's/,$//')
+
+    # Drop privileges and launch XFCE under a clean login shell
+    exec su -l -w "$SAFE_ENV" "$XFCE_USER" -c '
+        export XDG_RUNTIME_DIR='"$TARGET_XDG"'
+        exec /usr/bin/startxfce4'
 else
+    # Warn and fall back to root execution
+    if [ "$XFCE_USER" = "root" ]; then
+        echo "Warning: XFCE_USER=root, running desktop as root" >&2
+    fi
+
+    mkdir -p /run/user/0
+    chmod 700 /run/user/0
+    export XDG_RUNTIME_DIR=/run/user/0
     exec /usr/bin/startxfce4
 fi
