On 31 January 2017 at 10:45, Tanu Kaskinen <tanuk at iki.fi> wrote: > On Mon, 2017-01-30 at 10:17 -0300, Felipe Sateler wrote: >> On 28 January 2017 at 11:24, Ahmed S. Darwish <darwish.07 at gmail.com> wrote: >> > On Sat, Jan 28, 2017 at 04:00:31PM +0200, Ahmed S. Darwish wrote: >> > > Unless we want a restricting directive directly inside systemd, >> > > below trick seems to work here: >> > > >> > > # /etc/systemd/user/pulseaudio.socket.d/override.conf >> > > [Socket] >> > > ExecStartPre=/bin/sh -c '/usr/bin/test $(/usr/bin/whoami) != "root"' >> > > >> > > Any better solution? >> > > >> > >> > Below also works, and is much better than the above: >> > >> > # /etc/systemd/user/pulseaudio.socket.d/override.conf >> > [Unit] >> > ConditionCapability=!CAP_SYS_ADMIN >> >> One could presumably run a system without SYS_ADMIN capabilities (eg, >> a container). Therefore, I think it is best to test for a root-owned >> file: >> >> [Unit] >> ConditionPathIsReadWrite=!/root > > AFAIK, some people use read-only root filesystem. Doesn't this break in > such situation? Or is it common to put /root on a different read- > write filesystem in such situations? Hmm. Indeed, it would not start the daemon. But is pulseaudio able to run with a read-only $HOME? The cookie and restore databases seems to be stored in $XDG_CONFIG_DIR (which defaults to $HOME/.config). Alternatively, one could use /run as the flag path. That path is guaranteed by systemd to be writable, and permission (unless modified by something weird) are 755 root:root. > Using CAP_SYS_ADMIN seems a bit better to me, although not quite ideal. > Maybe this should be brought up on the systemd list? I submitted a feature request there: https://github.com/systemd/systemd/issues/5187 -- Saludos, Felipe Sateler
