On 2025-05-31 12:17, Guido Günther wrote:
Sounds good to me. The system users include users running the login
managers which can have more components on e.g. mobile (for emergency
calls, etc) but I don't think they'd need the mpris-proxy.
wonder how we can best move forward here, to have it then as well
resolved downstream.
I *think* the patch needs a respin by Antonio and once applied we could
cherry-pick to Debian?
Here's an updated version of the patch with the @system condition.
I do not know how to properly acknowledge Andrew Sayers, so please add
whatever trailer is appropriate for that.
From eabbcf86ddfff98bf15b32e65c8d385d3e85f14c Mon Sep 17 00:00:00 2001
From: Antonio Enrico Russo <aerusso@xxxxxxxxxxx>
Date: Sun, 1 Jun 2025 18:10:49 -0600
Subject: [PATCH] Do not start mpris-proxy for system users
A default installation of bluez results in the systemd user unit
mpris-proxy.service being started for all users---including root.
This unnecessarily exposes system users to any security
vulnerabilities in mpris-proxy.
Inhibit this default behavior by using ConditionUser=!@system.
Signed-off-by: Antonio Enrico Russo <aerusso@xxxxxxxxxxx>
---
tools/mpris-proxy.service.in | 1 +
1 file changed, 1 insertion(+)
diff --git a/tools/mpris-proxy.service.in b/tools/mpris-proxy.service.in
index c49d255..6ae56c6 100644
--- a/tools/mpris-proxy.service.in
+++ b/tools/mpris-proxy.service.in
@@ -4,6 +4,7 @@ Documentation=man:mpris-proxy(1)
Wants=dbus.socket
After=dbus.socket dbus.service
+ConditionUser=!@system
[Service]
Type=simple
--
2.49.0
