[pulseaudio-discuss] [PATCH] systemd: disable socket activation for root

Tanu Kaskinen tanuk at iki.fi
Thu Feb 9 19:58:30 UTC 2017 

On Thu, 2017-02-09 at 20:52 +0200, Tanu Kaskinen wrote:
> On Wed, 2017-02-08 at 10:06 -0300, Felipe Sateler wrote:
> > On 8 February 2017 at 09:36, Tanu Kaskinen <tanuk at iki.fi> wrote:
> > > On Fri, 2017-02-03 at 10:17 -0300, Felipe Sateler wrote:
> > > > On 3 February 2017 at 05:51, Tanu Kaskinen <tanuk at iki.fi> wrote:
> > > > > We disallow autospawning for root, but when using systemd socket
> > > > > activation to start pulseaudio, that replaces the autospawning
> > > > > mechanism, and there was no similar "root protection" in socket
> > > > > activation. This patch disables the socket activation for root.
> > > > > 
> > > > > Thanks to Felipe Sateler for coming up with the idea of using
> > > > > ConditionPathIsReadWrite=!/run.
> > > > 
> > > > I'm sorry but I'll have to take this back. This check only checks if
> > > > the path is mounted read-write, not if the calling process has the
> > > > necessary permissions.
> > > > 
> > > > https://github.com/systemd/systemd/blob/master/src/shared/condition.c#L405
> > > > https://github.com/systemd/systemd/blob/master/src/basic/stat-util.c#L126
> > > > 
> > > > :(
> > > 
> > > Well, that's disappointing (and shame on me - I should have tested the
> > > patch better).
> > > 
> > > I think using ExecStartPre as Ahmed first suggested is the best
> > > solution. It should do exactly what we want. The admin capability check
> > > can have some corner cases where it does the wrong thing.
> > 
> > The ExecStartPre= solution has the undesirable side effect that it
> > marks the unit as failed, and thus the systemd --user session as
> > degraded. I think the CAP_SYS_ADMIN solution is a bit better until we
> > get ConditionUID. Presumably the people running containers where root
> > does not have CAP_SYS_ADMIN know what they are doing.
> 
> Good point. I'll make v2 with the capability check.

It turns out that the capability check doesn't work either. I don't
have any idea why.

"systemctl --user start pulseaudio.socket" doesn't indicate any
failure, but it doesn't matter if I'm root (via "machinectl shell") or
a regular user, "systemctl --user status pulseaudio.socket" prints the
following:

● pulseaudio.socket - Sound System
   Loaded: loaded (/usr/lib/systemd/user/pulseaudio.socket; disabled; vendor preset: enabled)
   Active: inactive (dead)
Condition: start condition failed at Thu 2017-02-09 21:17:42 EET; 8min ago
           └─ ConditionCapability=!CAP_SYS_ADMIN was not met
   Listen: /run/user/1000/pulse/native (Stream)

I submitted a bug report:
https://github.com/systemd/systemd/issues/5296

I guess the last remaining solution is to use ExecStartPre.

-- 
Tanu

https://www.patreon.com/tanuk

More information about the pulseaudio-discuss mailing list