[pulseaudio-discuss] How to avoid socket activation for root?
Tanu Kaskinen
tanuk at iki.fi
Tue Jan 31 13:45:47 UTC 2017
On Mon, 2017-01-30 at 10:17 -0300, Felipe Sateler wrote:
> On 28 January 2017 at 11:24, Ahmed S. Darwish <darwish.07 at gmail.com> wrote:
> > On Sat, Jan 28, 2017 at 04:00:31PM +0200, Ahmed S. Darwish wrote:
> > > Unless we want a restricting directive directly inside systemd,
> > > below trick seems to work here:
> > >
> > > # /etc/systemd/user/pulseaudio.socket.d/override.conf
> > > [Socket]
> > > ExecStartPre=/bin/sh -c '/usr/bin/test $(/usr/bin/whoami) != "root"'
> > >
> > > Any better solution?
> > >
> >
> > Below also works, and is much better than the above:
> >
> > # /etc/systemd/user/pulseaudio.socket.d/override.conf
> > [Unit]
> > ConditionCapability=!CAP_SYS_ADMIN
>
> One could presumably run a system without SYS_ADMIN capabilities (eg,
> a container). Therefore, I think it is best to test for a root-owned
> file:
>
> [Unit]
> ConditionPathIsReadWrite=!/root
AFAIK, some people use read-only root filesystem. Doesn't this break in
such situation? Or is it common to put /root on a different read-
write filesystem in such situations?
Using CAP_SYS_ADMIN seems a bit better to me, although not quite ideal.
Maybe this should be brought up on the systemd list?
--
Tanu
https://www.patreon.com/tanuk
More information about the pulseaudio-discuss
mailing list