On Sat, Jan 28, 2017 at 04:00:31PM +0200, Ahmed S. Darwish wrote:
> Hi :-)
>
> On Sat, Jan 28, 2017 at 01:58:32PM +0200, Tanu Kaskinen wrote:
> > Hi all,
> >
> > In the "PA 10 : paplay can't connect !" thread I noticed worrying
> > netstat output:
> >
> > [video at sixcore ~]$ netstat -l -x -p | grep pulse
> > (Not all processes could be identified, non-owned process info
> > Â will not be shown, you would have to be root to see it all.)
> > unix 2     [ ACC ]    STREAM    LISTENING    51237 7388/pulseaudio     /tmp/.esd-501/socket
> > unix 2     [ ACC ]    STREAM    LISTENING    26773   -        /run/user/0/pulse/native
> > unix 2     [ ACC ]    STREAM    LISTENING    40938   7362/systemd /run/user/501/pulse/native
> >
> > It looks like systemd manages also root login sessions, and it creates
> > the pulseaudio socket for root. Presumably pulseaudio would get started
> > if some application tried to access the socket. When using the
> > traditional autospawning mechanism, we don't start pulseaudio for root,
> > and that's how it should be also in the systemd socket activation case.
> >
> > Does anyone have ideas about how we could prevent systemd from creating
> > the socket for root by default?
> >
>
> Confirmed here too, as long as a root login shell is there; e.g.
> by something like "machinectl shell".
>
> Unless we want a restricting directive directly inside systemd,
> below trick seems to work here:
>
> # /etc/systemd/user/pulseaudio.socket.d/override.conf
> [Socket]
> ExecStartPre=/bin/sh -c '/usr/bin/test $(/usr/bin/whoami) != "root"'
>
> Any better solution?
>
Below also works, and is much better than the above:
# /etc/systemd/user/pulseaudio.socket.d/override.conf
[Unit]
ConditionCapability=!CAP_SYS_ADMIN
regards,
