diff mbox series

Do not start mpris-proxy for root user

Message ID a15e6919-9000-4628-baec-a2d2cc327903@aerusso.net
State New
Headers show
Series Do not start mpris-proxy for root user | expand

Commit Message

Antonio Russo Jan. 26, 2025, 3:04 p.m. UTC 
Hello,

A default installation of bluez results in the systemd user unit
mpris-proxy.service being started for all users---including root.
This unnecessarily exposes root to any security vulnerability in
mpris-proxy.

Please consider the following trivial patch that changes this
default behavior.

Best,
Antonio Russo


 From d9e02494e661109607c073968fa352c1397a1ffb Mon Sep 17 00:00:00 2001
From: Antonio Enrico Russo <aerusso@aerusso.net>
Date: Sun, 26 Jan 2025 08:00:26 -0700
Subject: [PATCH] Do not start mpris-proxy for root user

A default installation of bluez results in the systemd user unit
mpris-proxy.service being started for all users---including root.
This unnecessarily exposes root to any security vulnerability in
mpris-proxy.

Inhibit this default behavior by using ConditionUser=!root.

Signed-off-by: Antonio Enrico Russo <aerusso@aerusso.net>
---
  tools/mpris-proxy.service.in | 1 +
  1 file changed, 1 insertion(+)

Comments

Salvatore Bonaccorso May 17, 2025, 1:12 p.m. UTC | #1 
On Sun, Jan 26, 2025 at 08:04:27AM -0700, Antonio Russo wrote:
> Hello,
> 
> A default installation of bluez results in the systemd user unit
> mpris-proxy.service being started for all users---including root.
> This unnecessarily exposes root to any security vulnerability in
> mpris-proxy.
> 
> Please consider the following trivial patch that changes this
> default behavior.
> 
> Best,
> Antonio Russo
> 
> 
> From d9e02494e661109607c073968fa352c1397a1ffb Mon Sep 17 00:00:00 2001
> From: Antonio Enrico Russo <aerusso@aerusso.net>
> Date: Sun, 26 Jan 2025 08:00:26 -0700
> Subject: [PATCH] Do not start mpris-proxy for root user
> 
> A default installation of bluez results in the systemd user unit
> mpris-proxy.service being started for all users---including root.
> This unnecessarily exposes root to any security vulnerability in
> mpris-proxy.
> 
> Inhibit this default behavior by using ConditionUser=!root.
> 
> Signed-off-by: Antonio Enrico Russo <aerusso@aerusso.net>
> ---
>  tools/mpris-proxy.service.in | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/tools/mpris-proxy.service.in b/tools/mpris-proxy.service.in
> index 5307490..118ed6e 100644
> --- a/tools/mpris-proxy.service.in
> +++ b/tools/mpris-proxy.service.in
> @@ -4,6 +4,7 @@ Documentation=man:mpris-proxy(1)
>  Wants=dbus.socket
>  After=dbus.socket
> +ConditionUser=!root
>  [Service]
>  Type=simple
> -- 
> 2.48.1

Looping in all primary involved people for adding or touching the
systemd unit file. Luiz, Guido and Andrew, any opinion on the proposed
change?

For reference as well discussed in downstream Debian in
https://bugs.debian.org/1094257

Regards,
Salvatore
diff mbox series

Patch

diff --git a/tools/mpris-proxy.service.in b/tools/mpris-proxy.service.in
index 5307490..118ed6e 100644
--- a/tools/mpris-proxy.service.in
+++ b/tools/mpris-proxy.service.in
@@ -4,6 +4,7 @@  Documentation=man:mpris-proxy(1)
  
  Wants=dbus.socket
  After=dbus.socket
+ConditionUser=!root
  
  [Service]
  Type=simple