SLEEP support development for CM4

This is probably not doing what you think it’s doing. sudo in a script doesn’t really work, because it can’t prompt you for a password. To do this from within a graphical session, you need a setuid binary to write to these files.

Or, you can have a script which runs as root, and watches /dev/input/event0 for power key presses, and use this to toggle the system state.

Sudo can easily be setup to run passwordless, just fyi. based on group or individual user.

1 Like

I knew someone was going to suggest this.

No.

Just no.

Don’t do that.

RPi OS comes setup that way out of the box.

1 Like

They do that for convenience, but it is an insecure default, and you shouldn’t leave it that way. The first thing you should do is set a user password.

And sudo is not appropriate for use in system scripts.

You have a password, when logged in it just doesn’t require it. If you ssh in or use a non-sudoer account a password is required.

1 Like

Sudo is already a security risk, and some admins / distros don’t use it at all. Configuring sudo to not require a password so you can use use it in a shell script is utterly indefensible.

You might get it to work, but you’re leaving your system wide open. And for anyone with a more secure setup, it will not work. I will not be doing this, and I have outlined the alternatives.

Since I’m not very experienced with linux, what should you do if you don’t use sudo? Doas requires another password entry (or not), su requires the same. Are you saying to log out and back in as root, then make the changes, and logout/in as user again?

What is the “proper way” of getting admin level when installing or changing things that are supposed to be system wide?

I would say, if you have autologin to the system (and don’t wear foil cap) then do not worry and use sudo.

or you can create an udev rule, but since you are not very familiar with linux – don’t bother.

So to get this to work with a setup that prompts for sudo password, and actually, also to get the current default Bookworm image to properly prompt for sudo password for the default user, it would be the following:

  1. Edit /etc/sudoers.d/010_pi-nopasswd, which by default will read something like…
<username> ALL=(ALL) NOPASSWD: ALL
  1. Comment out that line and add the absolute path to the script. So something like this…
#<username> ALL=(ALL) NOPASSWD: ALL
<username> ALL=(ALL) NOPASSWD: /home/<username>/.config/qsleep.sh

That way only the sleep script will be allowed to run as sudo without password. Everything else will still prompt for password when invoking “sudo”.

And of course it also means the “sudo tee” part can be executed from within the script, so in which case the mapping in wayfire.ini or labwc xml files can still be used.

If you’re concerned about the “sudo” part being inside of the script, setting up a listener script that listens to the power event is the only way. I have tried to make a non-sudo version of the script and launching it from wayfire or labwc won’t actually work properly for whatever reason.

1 Like

If you followed my instructions above, that should prompt for password for sudo only once per session by default if you’re using the Bookworm image. (maybe I’m wrong but that seems to be the case? Otherwise maybe the timeout is so big that I haven’t been able to trigger it again)

To change that behavior, you can edit /etc/sudoers and add the following lines:

# Prompt for sudo password on every single command
Defaults     timestamp_timeout=0

Which would be the more ideal secure setup.

Alternatively, set that timeout from 0 to any number and that will cause sudo to ask for password again if some minutes have passed. So for instance, asking for sudo password again after 3 minutes would be:

Defaults     timestamp_timeout=3

I would say any number between 3-5 should suffice if you find typing the password every time annoying. Personally I go with 0 to make sure I don’t slip up, but as above, you can add certain scripts or commands to the exception list so you don’t have to keep pumping password into them. I do this for the sleep script and for docker command, for instance.

2 Likes

If you’re concerned about the “sudo” part being inside of the script, setting up a listener script that listens to the power event is the only way. I have tried to make a non-sudo version of the script and launching it from wayfire or labwc won’t actually work properly for whatever reason.

I found I had to do this anyways, since I wanted to lock the screen (via swaylock) in my case. The screen locker prevents the power key from being received by the compositor / window manager to wake back up, and systemd's logind isn’t flexible enough, by itself, to do this.

It wasn’t too hard, it turned out. I found that the libinputs command, which is available via libinput-tools or libinput-utils depending on your distro, will watch for events on the devices you specify, and the output is simple to work with. I found that /dev/input/event0 shows up as a separate keyboard device, and is where the power button events come from on the uConsole.

So, I now have, on my device, a modified version of qsleep.sh that looks like this:

function toggle {
  if test "$(cat /sys/class/drm/card1-DSI-1/enabled)" = "enabled"
  then
    ...
  else
    ...
  fi
}

function watch {
  declare -a event
  libinput debug-events --device /dev/input/event0 | while read -a event
  do
    case "${event[1]} ${event[3]} ${event[5]}" in
	  "KEYBOARD_KEY KEY_POWER released")
        toggle
        ;;
    esac
  done
}

...

The reason for only responding to released is because I still let logind handle a long key press by shutting down the machine, so I can still power off cleanly. It’s nice, when I need to do this, that the screen is still powered on, so that I can see that the machine is actually powering off.

I run my script from within my session, so that wlr-randr and swaylock work without me having to set any specific variables, and I wrote a simple C program that is setuid root to set the governor (at least until I figure out a portable way to do all of this from the session manager).

The full code is here.

2 Likes

As a new user, just use sudo. It’s definitely better than logging in as root. FYI can use sudo -k when you are done, and want to expire your auth token, rather than just letting it time out.

As for alternatives, there’s the su command, where you need the root password rather than your user password. BSD provides doas. There are finer-grained approaches to authentication, like PolicyKit (now Polkit). I’m not sure if any of these things is better in this case, I just wanted to point out that in some settings, sudo isn’t available.

Sometimes, you can avoid uses of sudo by adding your user to the right groups – consult distro-specific documentation to learn which groups are available and what they do.

1 Like

Hi, can that script applied to Bookworm image? I can put device to “sleep” but when pressing Power key again to “wake”, the screen stay dark. At that point, if I type in the password and Enter (still nothing on the screen), then press Pwr Key again, then screen is back to life.

probably…I don’t have time to try right now.

If you want to test it out, I recommend starting a tmux session from within the uconsole’s gui environment, then to ssh in, and tmux attach before you try to sleep. This way you can keep working even if the screen and / or keyboard aren’t functioning.

1 Like