How to avoid socket activation for root?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 2017-01-31 at 11:18 -0300, Felipe Sateler wrote:
> On 31 January 2017 at 10:45, Tanu Kaskinen <tanuk at iki.fi> wrote:
> > On Mon, 2017-01-30 at 10:17 -0300, Felipe Sateler wrote:
> > > On 28 January 2017 at 11:24, Ahmed S. Darwish <darwish.07 at gmail.com> wrote:
> > > > On Sat, Jan 28, 2017 at 04:00:31PM +0200, Ahmed S. Darwish wrote:
> > > > > Unless we want a restricting directive directly inside systemd,
> > > > > below trick seems to work here:
> > > > > 
> > > > >   # /etc/systemd/user/pulseaudio.socket.d/override.conf
> > > > >   [Socket]
> > > > >   ExecStartPre=/bin/sh -c '/usr/bin/test $(/usr/bin/whoami) != "root"'
> > > > > 
> > > > > Any better solution?
> > > > > 
> > > > 
> > > > Below also works, and is much better than the above:
> > > > 
> > > >     # /etc/systemd/user/pulseaudio.socket.d/override.conf
> > > >     [Unit]
> > > >     ConditionCapability=!CAP_SYS_ADMIN
> > > 
> > > One could presumably run a system without SYS_ADMIN capabilities (eg,
> > > a container). Therefore, I think it is best to test for a root-owned
> > > file:
> > > 
> > >   [Unit]
> > >   ConditionPathIsReadWrite=!/root
> > 
> > AFAIK, some people use read-only root filesystem. Doesn't this break in
> > such situation? Or is it common to put /root on a different read-
> > write filesystem in such situations?
> 
> Hmm. Indeed, it would not start the daemon.

I guess you mean it *would* start the daemon (which we want to avoid).

> But is pulseaudio able to
> run with a read-only $HOME? The cookie and restore databases seems to
> be stored in $XDG_CONFIG_DIR (which defaults to $HOME/.config).

Probably it would fail to start. But it would be better to not even try
starting.

> Alternatively, one could use /run as the flag path. That path is
> guaranteed by systemd to be writable, and permission (unless modified
> by something weird) are 755 root:root.

That seems like the best solution so far. I'll make a patch.

> > Using CAP_SYS_ADMIN seems a bit better to me, although not quite ideal.
> > Maybe this should be brought up on the systemd list?
> 
> I submitted a feature request there:
> 
> https://github.com/systemd/systemd/issues/5187

Great, thanks!

-- 
Tanu

https://www.patreon.com/tanuk


[Index of Archives]     [Linux Audio Users]     [AMD Graphics]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux