[pulseaudio-discuss] [PATCH] systemd: disable socket activation for root

Felipe Sateler fsateler at debian.org
Wed Feb 8 13:06:27 UTC 2017


On 8 February 2017 at 09:36, Tanu Kaskinen <tanuk at iki.fi> wrote:
> On Fri, 2017-02-03 at 10:17 -0300, Felipe Sateler wrote:
>> On 3 February 2017 at 05:51, Tanu Kaskinen <tanuk at iki.fi> wrote:
>> > We disallow autospawning for root, but when using systemd socket
>> > activation to start pulseaudio, that replaces the autospawning
>> > mechanism, and there was no similar "root protection" in socket
>> > activation. This patch disables the socket activation for root.
>> >
>> > Thanks to Felipe Sateler for coming up with the idea of using
>> > ConditionPathIsReadWrite=!/run.
>>
>> I'm sorry but I'll have to take this back. This check only checks if
>> the path is mounted read-write, not if the calling process has the
>> necessary permissions.
>>
>> https://github.com/systemd/systemd/blob/master/src/shared/condition.c#L405
>> https://github.com/systemd/systemd/blob/master/src/basic/stat-util.c#L126
>>
>> :(
>
> Well, that's disappointing (and shame on me - I should have tested the
> patch better).
>
> I think using ExecStartPre as Ahmed first suggested is the best
> solution. It should do exactly what we want. The admin capability check
> can have some corner cases where it does the wrong thing.

The ExecStartPre= solution has the undesirable side effect that it
marks the unit as failed, and thus the systemd --user session as
degraded. I think the CAP_SYS_ADMIN solution is a bit better until we
get ConditionUID. Presumably the people running containers where root
does not have CAP_SYS_ADMIN know what they are doing.

-- 

Saludos,
Felipe Sateler


More information about the pulseaudio-discuss mailing list