How to avoid socket activation for root?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, Jan 28, 2017 at 04:00:31PM +0200, Ahmed S. Darwish wrote:
> Hi :-)
> 
> On Sat, Jan 28, 2017 at 01:58:32PM +0200, Tanu Kaskinen wrote:
> > Hi all,
> > 
> > In the "PA 10 : paplay can't connect !" thread I noticed worrying
> > netstat output:
> > 
> > [video at sixcore ~]$ netstat -l -x -p | grep pulse
> > (Not all processes could be identified, non-owned process info
> >   will not be shown, you would have to be root to see it all.)
> > unix  2      [ ACC ]     STREAM     LISTENING     51237    7388/pulseaudio      /tmp/.esd-501/socket
> > unix  2      [ ACC ]     STREAM     LISTENING     26773    -                    /run/user/0/pulse/native
> > unix  2      [ ACC ]     STREAM     LISTENING     40938    7362/systemd         /run/user/501/pulse/native
> >
> > It looks like systemd manages also root login sessions, and it creates
> > the pulseaudio socket for root. Presumably pulseaudio would get started
> > if some application tried to access the socket. When using the
> > traditional autospawning mechanism, we don't start pulseaudio for root,
> > and that's how it should be also in the systemd socket activation case.
> > 
> > Does anyone have ideas about how we could prevent systemd from creating
> > the socket for root by default?
> >
> 
> Confirmed here too, as long as a root login shell is there; e.g.
> by something like "machinectl shell".
> 
> Unless we want a restricting directive directly inside systemd,
> below trick seems to work here:
> 
>   # /etc/systemd/user/pulseaudio.socket.d/override.conf
>   [Socket]
>   ExecStartPre=/bin/sh -c '/usr/bin/test $(/usr/bin/whoami) != "root"'
> 
> Any better solution?
>

Below also works, and is much better than the above:

    # /etc/systemd/user/pulseaudio.socket.d/override.conf
    [Unit]
    ConditionCapability=!CAP_SYS_ADMIN

regards,



[Index of Archives]     [Linux Audio Users]     [AMD Graphics]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux