Hi, On Sun, May 18, 2025 at 02:12:41PM +0100, Andrew Sayers wrote: > On Sat, May 17, 2025 at 03:12:47PM +0200, Salvatore Bonaccorso wrote: > > On Sun, Jan 26, 2025 at 08:04:27AM -0700, Antonio Russo wrote: > > > Hello, > > > > > > A default installation of bluez results in the systemd user unit > > > mpris-proxy.service being started for all users---including root. > > > This unnecessarily exposes root to any security vulnerability in > > > mpris-proxy. > > > > > > Please consider the following trivial patch that changes this > > > default behavior. > > > > > > Best, > > > Antonio Russo > > > > > > > > > From d9e02494e661109607c073968fa352c1397a1ffb Mon Sep 17 00:00:00 2001 > > > From: Antonio Enrico Russo <aerusso@xxxxxxxxxxx> > > > Date: Sun, 26 Jan 2025 08:00:26 -0700 > > > Subject: [PATCH] Do not start mpris-proxy for root user > > > > > > A default installation of bluez results in the systemd user unit > > > mpris-proxy.service being started for all users---including root. > > > This unnecessarily exposes root to any security vulnerability in > > > mpris-proxy. > > > > > > Inhibit this default behavior by using ConditionUser=!root. > > > > > > Signed-off-by: Antonio Enrico Russo <aerusso@xxxxxxxxxxx> > > > --- > > > tools/mpris-proxy.service.in | 1 + > > > 1 file changed, 1 insertion(+) > > > > > > diff --git a/tools/mpris-proxy.service.in b/tools/mpris-proxy.service.in > > > index 5307490..118ed6e 100644 > > > --- a/tools/mpris-proxy.service.in > > > +++ b/tools/mpris-proxy.service.in > > > @@ -4,6 +4,7 @@ Documentation=man:mpris-proxy(1) > > > Wants=dbus.socket > > > After=dbus.socket > > > +ConditionUser=!root > > > [Service] > > > Type=simple > > > -- > > > 2.48.1 > > > > Looping in all primary involved people for adding or touching the > > systemd unit file. Luiz, Guido and Andrew, any opinion on the proposed > > change? > > It sounds like the same logic would apply to all system accounts. > Would "ConditionUser=!@system" make more sense? For details, see > https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#ConditionUser= Guido, what is your take here? The suggestion sounds sensible to me. wonder how we can best move forward here, to have it then as well resolved downstream. Regards, Salvatore
