On 28 January 2017 at 11:24, Ahmed S. Darwish <darwish.07 at gmail.com> wrote: > On Sat, Jan 28, 2017 at 04:00:31PM +0200, Ahmed S. Darwish wrote: >> Hi :-) >> >> On Sat, Jan 28, 2017 at 01:58:32PM +0200, Tanu Kaskinen wrote: >> > Hi all, >> > >> > In the "PA 10 : paplay can't connect !" thread I noticed worrying >> > netstat output: >> > >> > [video at sixcore ~]$ netstat -l -x -p | grep pulse >> > (Not all processes could be identified, non-owned process info >> > will not be shown, you would have to be root to see it all.) >> > unix 2 [ ACC ] STREAM LISTENING 51237 7388/pulseaudio /tmp/.esd-501/socket >> > unix 2 [ ACC ] STREAM LISTENING 26773 - /run/user/0/pulse/native >> > unix 2 [ ACC ] STREAM LISTENING 40938 7362/systemd /run/user/501/pulse/native >> > >> > It looks like systemd manages also root login sessions, and it creates >> > the pulseaudio socket for root. Presumably pulseaudio would get started >> > if some application tried to access the socket. When using the >> > traditional autospawning mechanism, we don't start pulseaudio for root, >> > and that's how it should be also in the systemd socket activation case. >> > >> > Does anyone have ideas about how we could prevent systemd from creating >> > the socket for root by default? >> > >> >> Confirmed here too, as long as a root login shell is there; e.g. >> by something like "machinectl shell". >> >> Unless we want a restricting directive directly inside systemd, >> below trick seems to work here: >> >> # /etc/systemd/user/pulseaudio.socket.d/override.conf >> [Socket] >> ExecStartPre=/bin/sh -c '/usr/bin/test $(/usr/bin/whoami) != "root"' >> >> Any better solution? >> > > Below also works, and is much better than the above: > > # /etc/systemd/user/pulseaudio.socket.d/override.conf > [Unit] > ConditionCapability=!CAP_SYS_ADMIN One could presumably run a system without SYS_ADMIN capabilities (eg, a container). Therefore, I think it is best to test for a root-owned file: [Unit] ConditionPathIsReadWrite=!/root -- Saludos, Felipe Sateler
