From 024b1864b49af5ae9141697e150e395b5dd43e4e Mon Sep 17 00:00:00 2001 From: Thomas Eizinger Date: Fri, 7 Nov 2025 10:53:31 +1100 Subject: [PATCH] feat(linux): automatically add user to `firezone-client` group (#10787) By checking various environment variables, we can automatically add the current user to the `firezone-client` group which allows them to connect to the IPC socket of the tunnel process. Unfortunately, they still have to create a new login session / reboot for that to be reflected. The docs update for this will follow once we have cut a release with this code in it. --------- Signed-off-by: Thomas Eizinger Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .../src-tauri/linux_package/postinst | 20 ++++++++++++++++++- .../src-tauri/linux_package/sysusers.conf | 1 + 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/rust/gui-client/src-tauri/linux_package/postinst b/rust/gui-client/src-tauri/linux_package/postinst index d721d5e4b..620514d26 100755 --- a/rust/gui-client/src-tauri/linux_package/postinst +++ b/rust/gui-client/src-tauri/linux_package/postinst @@ -4,7 +4,25 @@ set -euo pipefail SERVICE_NAME="firezone-client-tunnel" -# Creates the system group `firezone-client` +DISPLAY_USER=$(who | grep '(login screen)' | awk '{print $1}') + +if [ -n "${PKEXEC_UID:-}" ]; then + INVOKING_USER=$(id -un "$PKEXEC_UID" 2>/dev/null) # Detect user from PolicyKit. + + echo "Detected invoking user from PolicyKit: $INVOKING_USER" +elif [ -n "${SUDO_USER:-}" ]; then + INVOKING_USER="$SUDO_USER" # Detect user from `sudo apt/dnf install`. + + echo "Detected invoking user from SUDO_USER: $INVOKING_USER" +elif [ -n "${DISPLAY_USER:-}" ]; then + INVOKING_USER="$DISPLAY_USER" # Detect user from display session. + + echo "Detected invoking user from display session: $INVOKING_USER" +fi + +sudo sed -i "s/<>/${INVOKING_USER:-root}/g" "/usr/lib/sysusers.d/firezone-client-tunnel.conf" + +# Creates the system group `firezone-client` and adds the group membership. sudo systemd-sysusers echo "Starting and enabling Firezone Tunnel service..." diff --git a/rust/gui-client/src-tauri/linux_package/sysusers.conf b/rust/gui-client/src-tauri/linux_package/sysusers.conf index 830b931da..78d0afb99 100644 --- a/rust/gui-client/src-tauri/linux_package/sysusers.conf +++ b/rust/gui-client/src-tauri/linux_package/sysusers.conf @@ -2,3 +2,4 @@ # This creates the `firezone-client` group automatically at startup g firezone-client - +m <> firezone-client -