On Mon, 2017-01-30 at 10:17 -0300, Felipe Sateler wrote: > On 28 January 2017 at 11:24, Ahmed S. Darwish <darwish.07 at gmail.com> wrote: > > On Sat, Jan 28, 2017 at 04:00:31PM +0200, Ahmed S. Darwish wrote: > > > Unless we want a restricting directive directly inside systemd, > > > below trick seems to work here: > > > > > > # /etc/systemd/user/pulseaudio.socket.d/override.conf > > > [Socket] > > > ExecStartPre=/bin/sh -c '/usr/bin/test $(/usr/bin/whoami) != "root"' > > > > > > Any better solution? > > > > > > > Below also works, and is much better than the above: > > > > # /etc/systemd/user/pulseaudio.socket.d/override.conf > > [Unit] > > ConditionCapability=!CAP_SYS_ADMIN > > One could presumably run a system without SYS_ADMIN capabilities (eg, > a container). Therefore, I think it is best to test for a root-owned > file: > > [Unit] > ConditionPathIsReadWrite=!/root AFAIK, some people use read-only root filesystem. Doesn't this break in such situation? Or is it common to put /root on a different read- write filesystem in such situations? Using CAP_SYS_ADMIN seems a bit better to me, although not quite ideal. Maybe this should be brought up on the systemd list? -- Tanu https://www.patreon.com/tanuk
