[pulseaudio-discuss] How to avoid socket activation for root?

Felipe Sateler fsateler at debian.org
Mon Jan 30 13:17:13 UTC 2017 

On 28 January 2017 at 11:24, Ahmed S. Darwish <darwish.07 at gmail.com> wrote:
> On Sat, Jan 28, 2017 at 04:00:31PM +0200, Ahmed S. Darwish wrote:
>> Hi :-)
>>
>> On Sat, Jan 28, 2017 at 01:58:32PM +0200, Tanu Kaskinen wrote:
>> > Hi all,
>> >
>> > In the "PA 10 : paplay can't connect !" thread I noticed worrying
>> > netstat output:
>> >
>> > [video at sixcore ~]$ netstat -l -x -p | grep pulse
>> > (Not all processes could be identified, non-owned process info
>> >   will not be shown, you would have to be root to see it all.)
>> > unix  2      [ ACC ]     STREAM     LISTENING     51237    7388/pulseaudio      /tmp/.esd-501/socket
>> > unix  2      [ ACC ]     STREAM     LISTENING     26773    -                    /run/user/0/pulse/native
>> > unix  2      [ ACC ]     STREAM     LISTENING     40938    7362/systemd         /run/user/501/pulse/native
>> >
>> > It looks like systemd manages also root login sessions, and it creates
>> > the pulseaudio socket for root. Presumably pulseaudio would get started
>> > if some application tried to access the socket. When using the
>> > traditional autospawning mechanism, we don't start pulseaudio for root,
>> > and that's how it should be also in the systemd socket activation case.
>> >
>> > Does anyone have ideas about how we could prevent systemd from creating
>> > the socket for root by default?
>> >
>>
>> Confirmed here too, as long as a root login shell is there; e.g.
>> by something like "machinectl shell".
>>
>> Unless we want a restricting directive directly inside systemd,
>> below trick seems to work here:
>>
>>   # /etc/systemd/user/pulseaudio.socket.d/override.conf
>>   [Socket]
>>   ExecStartPre=/bin/sh -c '/usr/bin/test $(/usr/bin/whoami) != "root"'
>>
>> Any better solution?
>>
>
> Below also works, and is much better than the above:
>
>     # /etc/systemd/user/pulseaudio.socket.d/override.conf
>     [Unit]
>     ConditionCapability=!CAP_SYS_ADMIN

One could presumably run a system without SYS_ADMIN capabilities (eg,
a container). Therefore, I think it is best to test for a root-owned
file:

  [Unit]
  ConditionPathIsReadWrite=!/root


-- 

Saludos,
Felipe Sateler

More information about the pulseaudio-discuss mailing list