From patchwork Sun Jan 26 15:04:27 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonio Russo X-Patchwork-Id: 13950729 Received: from steward.aerusso.net (steward.aerusso.net [208.87.133.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BEDDB18C332 for ; Sun, 26 Jan 2025 15:12:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=208.87.133.46 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1737904359; cv=none; b=jYnSrV6XzqJz69cB2BUjAsg0c/RVWN95lOjOC3zWDMPofwf+KszlPczvV866AXLyaRdT0Mp2i6yHrs6zAG4PGDgvQehBCbKQFwFoz8Uv+h/VSHLJR8z2FyGDEarinaTR0VJ3FgqLclApKMY82Sp4Q8hHSyWnlKuIPztF9shWl94= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1737904359; c=relaxed/simple; bh=S6sw+z55hQ8wiNGXJExdf7R+rDQ0pf7gYhiOLgF6oHY=; h=Message-ID:Date:MIME-Version:To:From:Subject:Content-Type; b=dEoj7sh/ljyfbj5Yr2eRDjy1oCkG+o3Yu9JDMRWacwsYDXO9Hv6dwJqgvvwV9UxInnynrAW0VmmrBIql99Rn5iDY0TyuQzGzIJvXP1f8yQmn66sCzKlGtaGI3LUqctW6WgjhyHP+ineRsxGlxDjQ3kXDZfAMQoWZqPEYiffyVNc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=aerusso.net; spf=pass smtp.mailfrom=aerusso.net; dkim=pass (2048-bit key) header.d=aerusso.net header.i=@aerusso.net header.b=GEYrMXvP; arc=none smtp.client-ip=208.87.133.46 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=aerusso.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=aerusso.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=aerusso.net header.i=@aerusso.net header.b="GEYrMXvP" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aerusso.net; s=default; t=1737903890; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type:autocrypt:autocrypt; bh=S6sw+z55hQ8wiNGXJExdf7R+rDQ0pf7gYhiOLgF6oHY=; b=GEYrMXvPS1f9F+6yeK+Nue2/6MQbKMD1l4JLSMjnyixefZq9lea0IOz5jwRJ0KSg56nfBg TpOPp1/BUu7u1EBFeSWnEboiUwSrrwl8viSYbAN2wnv4Ic7jnSukeEPajeVfiD7ozbzjY4 q9l2Qi+l4sPVU5qu7bu0IZxolsu9mFOYO9aDX87+9bCF2EIOzm8OdfM5beX/4ynT7P9rob ERVp3M8Cl3gOW2cyA0zdTmpZ3Z40awnbMO/tcmCRaKZMFJS4sfCVMqBzgDt7AWnbup2Vje 02GnZGDgkyhZf0Y3otJJKEsd04c8kVs4TDis9h+YJN06M6ucSxTdeqSc2ZOOyA== Message-ID: Date: Sun, 26 Jan 2025 08:04:27 -0700 Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Language: en-US To: linux-bluetooth@vger.kernel.org From: Antonio Russo Subject: Do not start mpris-proxy for root user Autocrypt: addr=aerusso@aerusso.net; keydata= xsFNBGZLDNUBEADeuQhOWfMndhaUF+QSABNWP07WLZQHUNFhIiLcVj3ETRLXClWCxrHTz2am NbrMBN7Kcaxu1yai8xy9dnPoKKvSTTYsJkK2kE/QhWNRknqQZc5GOF9Ig5tHQECg91sPkA5j 9lhEIBLXAfcqOvAl5WaYV8eYCbj+CqOFGI8P4NytsWTwucZTk2cQ05vGyi+vsj+inWLyyYYh JxVYGub3TTf5QYYtIg/FxKxEpHglW+iRDEiOPRjI/odCkA4bzu6v9wRlOa7vw+rb03vCh+a2 vsh0noVoX09ACRhpdqgSKxpI2Fr1xQhWrcbIYPz8D2ZX/8kOVovLvbZBCQSc8U+RCaDDM/Gf FTDLH8NgT4KHZAFnDfXQXFePckyOTv9ZX6WEhYb5TjuQtmnyWhVo1g/W+X9j7wQM9odV5SFi RJZ0kF7whN9tFLL09CaUlSIpdoFNfJw9H1/5wrfC2SJm+oZSgZbaCGxPSJvkxAkSMIP219Lt meY7L5a3u47fyCbndvjYpgr/+Ono4rTshYcifvWWzfvWFa1sVBEeZrAYNCf8a2WoIrIZziiM x1DifzhZPwT2QCDj3Pk/gmrp1W3zQhEuEfOWMVt8rf/qr6nsWzFpN63rSUBm7bM3QvDo74oi tC37WKITYsvRJAm51v0V+kqhZFFWqDd2qyFhtX69E+W40+aomwARAQABzSpBbnRvbmlvIEVu cmljbyBSdXNzbyA8YWVydXNzb0BhZXJ1c3NvLm5ldD7CwZQEEwEKAD4CGwMFCwkIBwIGFQoJ CAsCBBYCAwECHgECF4AWIQQMlD2V7ROdzUwmTNNy2wJuBMHHaAUCZksTvAUJC0c75wAKCRBy 2wJuBMHHaJnvD/92+6Gih0YggXAtFSOEfzDnBKc7krcfhJ6QhjcUAjRe3SExTM2MnRBxvPNU 3h+r9TOHK8I9c56j2IwQLAkYRF0qyd34gunjA8Ej6abo9Jjic2b4gHA4HmgexvWBOPSfdQ+Q uF7bJGU5uCA0umKlpuKq9RY+HbQ01pSrfOfEQ+MyOTtKuywA2Bh5t9rXTyUO6h6pW/330YBC ms3WTjlPwgxSfnnYtxLb34WKca7hkWtrp1neSNfB5kYALQ1/mTLLcFEhFMJ4b+4CMOfaHZxg 9wUnVDGd0xgLUeCeRsusgotfOSfjeZvDf+yUfTQQzkqepyCTtujTQ+9Wiu1/KZ4XmklL7ne7 byC6gT6yNkLESBP47hBEaKk+OmttByk2dVO3hW3DYckiSb3WZTklA9StjR6CGGwDm50MNbLA tVs9+LNx2muTENwycpIBrCwra4ZmFWcoRMfxrvh4tZVBmf5tr/NT/j3zTR/1iqNn/M5MvGJk FfqzQGCqTu/qVLKMcs+5TXLGGu5Ty2kAl7c9lt/HirvOANXnKz+o0unsN+bRCBacIRPRDqFS c3e2OZJQV+luKJ7tObvkpw6tCND2GHd0ByX0xsaF3HczDs+sexreeaRHGMDiUEeM9TLy2LaI DMgNFhI3HjF3YkqDOYK6VdYx/XSk/Hb1tY1o9fRusVu+xvAO1c7BTQRm6ZJkARAAtRIBH4Mz FiDfI0/LapgjnT+uHFZFpIF+0GkHP2J6KEfnw8LM438D5GfabkDrPzhogbu9P6/l27u+x1VN d4rW6K8H7fn1nLQOi9AujqtHoIft74f1nI8IAVmzkL/w2Ku2dG90A+ipJo80gfJY2ETdaaB4 Wpxod50mNfaG05c4er9HGxsEInWDdHoK7kfxmR801O/V9oNUWQ4MkVyaaKWJK1pQgMxnV1re FGWGT/+mzT7gCArVwTcjn58ooOeHmb5j7nBgdxfXrN8RZrP7R4OYAnEyYpeRjYCNIEEI57EX AXcI7FMDVNtZrqEbIVSl/rFRAT1J+EdwgMahbgiOv9nFQgWDYuLKtQIADY8zjJLLPw4g8WIG oS6GpnEmNmTWS2wxmFlE0eZvb/4MIGeOvikwhdA50HPcokOvfNSnDyTyZoh1vGaTJ8U2U32l GQiDwl2PIVwvjawYXIwOPA18rDO7oZIMeGkt9velWTQRJsJCXchY7ZT+K+77Ii+9Z1wmlK8Y 7HCQ3SsswtW2I4lAXPE3JUKg5hIYyCkVBW/yDlebbkWty0UGc4EDVPKFo2GsPiulNq1X7JCX jLjCpHPwI/8FF/sntx7OkaKHEIhxSRLjNk027cC+aa1IgTrJBOdqyoFZsEvPRrt5Stu9vt2o hSY/a2tnrMlutDoiVngNIpWRwJsAEQEAAcLBfAQYAQoAJhYhBAyUPZXtE53NTCZM03LbAm4E wcdoBQJm6ZJkAhsMBQkB4TOAAAoJEHLbAm4EwcdoMrAP/RzkUpdL6zPb9G40+vm7FxF5iEs6 YyKtOo4fxdmeufmOFpcCtHVk7abppJ4qf9wzLZI6nuMtRI/JSD779j8WbpFWswvVqDa/WtG8 Q/6wdp0v5n14HE1dH0uDgTjgF4BoOh6+9SKRIMMyJoD1gYAkw+QSD49nqDBTvw2XiZBpmnCH H30Ufdc+QYCR3woK4IskIEqEryWkSPWzM/9yrbGxzRsNbDUlaTj+a79SiP+tzFT3N3NZJN8v vHLoPM4wLoc7F0mQRetmC3XXn2wYqfEnHxsGM2wlTEyxE3oz4w/ogfmjbpJ+hCCRPGsLzlhs 2I3B4dekY+zwDmIJnzC3xXFdTvxlr70fmuIGedVlW7QoKzJ1AYrP/rfL5FBQM7AMc6bhyM8A gUMzgcTfM7s1lA2NH9I3CyUoV2cWHGLnbECbffvyiEWB8uXRTSuZ8buzEzw+PcEbqrn+gZP2 +kk+wc0zYmgmc4bLxnzXIU4VEZMBuKw7n/ayO0ITplui3s+zIYmeRi9yDu8HPf69zjapCRds Gz08XIeMaQfF9U3+yDPzJdplV/DF393HkuXLuz6PsdmJ8ni0sdcOemxBndmjrpSf/J9GqDBz IkPjkZUsh8BBAo78waa1Y4ZoXAGGbfuWTR+Fet6Ogfze74A2TtwtQmnfAXz900GDTekE+0i0 83d/owu8 Hello, A default installation of bluez results in the systemd user unit mpris-proxy.service being started for all users---including root. This unnecessarily exposes root to any security vulnerability in mpris-proxy. Please consider the following trivial patch that changes this default behavior. Best, Antonio Russo From d9e02494e661109607c073968fa352c1397a1ffb Mon Sep 17 00:00:00 2001 From: Antonio Enrico Russo Date: Sun, 26 Jan 2025 08:00:26 -0700 Subject: [PATCH] Do not start mpris-proxy for root user A default installation of bluez results in the systemd user unit mpris-proxy.service being started for all users---including root. This unnecessarily exposes root to any security vulnerability in mpris-proxy. Inhibit this default behavior by using ConditionUser=!root. Signed-off-by: Antonio Enrico Russo --- tools/mpris-proxy.service.in | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/mpris-proxy.service.in b/tools/mpris-proxy.service.in index 5307490..118ed6e 100644 --- a/tools/mpris-proxy.service.in +++ b/tools/mpris-proxy.service.in @@ -4,6 +4,7 @@ Documentation=man:mpris-proxy(1) Wants=dbus.socket After=dbus.socket +ConditionUser=!root [Service] Type=simple