On Wed, 2017-02-08 at 10:06 -0300, Felipe Sateler wrote: > On 8 February 2017 at 09:36, Tanu Kaskinen <tanuk at iki.fi> wrote: > > On Fri, 2017-02-03 at 10:17 -0300, Felipe Sateler wrote: > > > On 3 February 2017 at 05:51, Tanu Kaskinen <tanuk at iki.fi> wrote: > > > > We disallow autospawning for root, but when using systemd socket > > > > activation to start pulseaudio, that replaces the autospawning > > > > mechanism, and there was no similar "root protection" in socket > > > > activation. This patch disables the socket activation for root. > > > > > > > > Thanks to Felipe Sateler for coming up with the idea of using > > > > ConditionPathIsReadWrite=!/run. > > > > > > I'm sorry but I'll have to take this back. This check only checks if > > > the path is mounted read-write, not if the calling process has the > > > necessary permissions. > > > > > > https://github.com/systemd/systemd/blob/master/src/shared/condition.c#L405 > > > https://github.com/systemd/systemd/blob/master/src/basic/stat-util.c#L126 > > > > > > :( > > > > Well, that's disappointing (and shame on me - I should have tested the > > patch better). > > > > I think using ExecStartPre as Ahmed first suggested is the best > > solution. It should do exactly what we want. The admin capability check > > can have some corner cases where it does the wrong thing. > > The ExecStartPre= solution has the undesirable side effect that it > marks the unit as failed, and thus the systemd --user session as > degraded. I think the CAP_SYS_ADMIN solution is a bit better until we > get ConditionUID. Presumably the people running containers where root > does not have CAP_SYS_ADMIN know what they are doing. Good point. I'll make v2 with the capability check. -- Tanu https://www.patreon.com/tanuk
