* Do not start mpris-proxy for root user @ 2025-01-26 15:04 Antonio Russo 2025-05-17 13:12 ` Salvatore Bonaccorso 0 siblings, 1 reply; 14+ messages in thread From: Antonio Russo @ 2025-01-26 15:04 UTC (permalink / raw) To: linux-bluetooth [-- Attachment #1.1.1: Type: text/plain, Size: 1314 bytes --] Hello, A default installation of bluez results in the systemd user unit mpris-proxy.service being started for all users---including root. This unnecessarily exposes root to any security vulnerability in mpris-proxy. Please consider the following trivial patch that changes this default behavior. Best, Antonio Russo From d9e02494e661109607c073968fa352c1397a1ffb Mon Sep 17 00:00:00 2001 From: Antonio Enrico Russo <aerusso@aerusso.net> Date: Sun, 26 Jan 2025 08:00:26 -0700 Subject: [PATCH] Do not start mpris-proxy for root user A default installation of bluez results in the systemd user unit mpris-proxy.service being started for all users---including root. This unnecessarily exposes root to any security vulnerability in mpris-proxy. Inhibit this default behavior by using ConditionUser=!root. Signed-off-by: Antonio Enrico Russo <aerusso@aerusso.net> --- tools/mpris-proxy.service.in | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/mpris-proxy.service.in b/tools/mpris-proxy.service.in index 5307490..118ed6e 100644 --- a/tools/mpris-proxy.service.in +++ b/tools/mpris-proxy.service.in @@ -4,6 +4,7 @@ Documentation=man:mpris-proxy(1) Wants=dbus.socket After=dbus.socket +ConditionUser=!root [Service] Type=simple -- 2.48.1 [-- Attachment #1.1.2: OpenPGP public key --] [-- Type: application/pgp-keys, Size: 7801 bytes --] [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply related [flat|nested] 14+ messages in thread
* Re: Do not start mpris-proxy for root user 2025-01-26 15:04 Do not start mpris-proxy for root user Antonio Russo @ 2025-05-17 13:12 ` Salvatore Bonaccorso 2025-05-17 14:06 ` Guido Günther 2025-05-18 13:12 ` Andrew Sayers 0 siblings, 2 replies; 14+ messages in thread From: Salvatore Bonaccorso @ 2025-05-17 13:12 UTC (permalink / raw) To: Antonio Russo, Guido Günther, Andrew Sayers, Luiz Augusto von Dentz Cc: linux-bluetooth On Sun, Jan 26, 2025 at 08:04:27AM -0700, Antonio Russo wrote: > Hello, > > A default installation of bluez results in the systemd user unit > mpris-proxy.service being started for all users---including root. > This unnecessarily exposes root to any security vulnerability in > mpris-proxy. > > Please consider the following trivial patch that changes this > default behavior. > > Best, > Antonio Russo > > > From d9e02494e661109607c073968fa352c1397a1ffb Mon Sep 17 00:00:00 2001 > From: Antonio Enrico Russo <aerusso@aerusso.net> > Date: Sun, 26 Jan 2025 08:00:26 -0700 > Subject: [PATCH] Do not start mpris-proxy for root user > > A default installation of bluez results in the systemd user unit > mpris-proxy.service being started for all users---including root. > This unnecessarily exposes root to any security vulnerability in > mpris-proxy. > > Inhibit this default behavior by using ConditionUser=!root. > > Signed-off-by: Antonio Enrico Russo <aerusso@aerusso.net> > --- > tools/mpris-proxy.service.in | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/tools/mpris-proxy.service.in b/tools/mpris-proxy.service.in > index 5307490..118ed6e 100644 > --- a/tools/mpris-proxy.service.in > +++ b/tools/mpris-proxy.service.in > @@ -4,6 +4,7 @@ Documentation=man:mpris-proxy(1) > Wants=dbus.socket > After=dbus.socket > +ConditionUser=!root > [Service] > Type=simple > -- > 2.48.1 Looping in all primary involved people for adding or touching the systemd unit file. Luiz, Guido and Andrew, any opinion on the proposed change? For reference as well discussed in downstream Debian in https://bugs.debian.org/1094257 Regards, Salvatore ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Do not start mpris-proxy for root user 2025-05-17 13:12 ` Salvatore Bonaccorso @ 2025-05-17 14:06 ` Guido Günther 2025-05-18 13:12 ` Andrew Sayers 1 sibling, 0 replies; 14+ messages in thread From: Guido Günther @ 2025-05-17 14:06 UTC (permalink / raw) To: Salvatore Bonaccorso Cc: Antonio Russo, Andrew Sayers, Luiz Augusto von Dentz, linux-bluetooth Hi, On Sat, May 17, 2025 at 03:12:47PM +0200, Salvatore Bonaccorso wrote: > On Sun, Jan 26, 2025 at 08:04:27AM -0700, Antonio Russo wrote: > > Hello, > > > > A default installation of bluez results in the systemd user unit > > mpris-proxy.service being started for all users---including root. > > This unnecessarily exposes root to any security vulnerability in > > mpris-proxy. > > > > Please consider the following trivial patch that changes this > > default behavior. > > > > Best, > > Antonio Russo > > > > > > From d9e02494e661109607c073968fa352c1397a1ffb Mon Sep 17 00:00:00 2001 > > From: Antonio Enrico Russo <aerusso@aerusso.net> > > Date: Sun, 26 Jan 2025 08:00:26 -0700 > > Subject: [PATCH] Do not start mpris-proxy for root user > > > > A default installation of bluez results in the systemd user unit > > mpris-proxy.service being started for all users---including root. > > This unnecessarily exposes root to any security vulnerability in > > mpris-proxy. > > > > Inhibit this default behavior by using ConditionUser=!root. > > > > Signed-off-by: Antonio Enrico Russo <aerusso@aerusso.net> > > --- > > tools/mpris-proxy.service.in | 1 + > > 1 file changed, 1 insertion(+) > > > > diff --git a/tools/mpris-proxy.service.in b/tools/mpris-proxy.service.in > > index 5307490..118ed6e 100644 > > --- a/tools/mpris-proxy.service.in > > +++ b/tools/mpris-proxy.service.in > > @@ -4,6 +4,7 @@ Documentation=man:mpris-proxy(1) > > Wants=dbus.socket > > After=dbus.socket > > +ConditionUser=!root > > [Service] > > Type=simple > > -- > > 2.48.1 > > Looping in all primary involved people for adding or touching the > systemd unit file. Luiz, Guido and Andrew, any opinion on the proposed > change? E.g. pipewire does the same, this makes sense to me. Reviewed-by: Guido Günther <agx@sigxcpu.org> Cheers, -- Guido > > For reference as well discussed in downstream Debian in > https://bugs.debian.org/1094257 > > Regards, > Salvatore > ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Do not start mpris-proxy for root user 2025-05-17 13:12 ` Salvatore Bonaccorso 2025-05-17 14:06 ` Guido Günther @ 2025-05-18 13:12 ` Andrew Sayers 2025-05-31 8:20 ` Salvatore Bonaccorso 1 sibling, 1 reply; 14+ messages in thread From: Andrew Sayers @ 2025-05-18 13:12 UTC (permalink / raw) To: Salvatore Bonaccorso Cc: Antonio Russo, Guido Günther, Luiz Augusto von Dentz, linux-bluetooth On Sat, May 17, 2025 at 03:12:47PM +0200, Salvatore Bonaccorso wrote: > On Sun, Jan 26, 2025 at 08:04:27AM -0700, Antonio Russo wrote: > > Hello, > > > > A default installation of bluez results in the systemd user unit > > mpris-proxy.service being started for all users---including root. > > This unnecessarily exposes root to any security vulnerability in > > mpris-proxy. > > > > Please consider the following trivial patch that changes this > > default behavior. > > > > Best, > > Antonio Russo > > > > > > From d9e02494e661109607c073968fa352c1397a1ffb Mon Sep 17 00:00:00 2001 > > From: Antonio Enrico Russo <aerusso@aerusso.net> > > Date: Sun, 26 Jan 2025 08:00:26 -0700 > > Subject: [PATCH] Do not start mpris-proxy for root user > > > > A default installation of bluez results in the systemd user unit > > mpris-proxy.service being started for all users---including root. > > This unnecessarily exposes root to any security vulnerability in > > mpris-proxy. > > > > Inhibit this default behavior by using ConditionUser=!root. > > > > Signed-off-by: Antonio Enrico Russo <aerusso@aerusso.net> > > --- > > tools/mpris-proxy.service.in | 1 + > > 1 file changed, 1 insertion(+) > > > > diff --git a/tools/mpris-proxy.service.in b/tools/mpris-proxy.service.in > > index 5307490..118ed6e 100644 > > --- a/tools/mpris-proxy.service.in > > +++ b/tools/mpris-proxy.service.in > > @@ -4,6 +4,7 @@ Documentation=man:mpris-proxy(1) > > Wants=dbus.socket > > After=dbus.socket > > +ConditionUser=!root > > [Service] > > Type=simple > > -- > > 2.48.1 > > Looping in all primary involved people for adding or touching the > systemd unit file. Luiz, Guido and Andrew, any opinion on the proposed > change? It sounds like the same logic would apply to all system accounts. Would "ConditionUser=!@system" make more sense? For details, see https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#ConditionUser= > > For reference as well discussed in downstream Debian in > https://bugs.debian.org/1094257 > > Regards, > Salvatore > > ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Do not start mpris-proxy for root user 2025-05-18 13:12 ` Andrew Sayers @ 2025-05-31 8:20 ` Salvatore Bonaccorso 2025-05-31 18:17 ` Guido Günther 0 siblings, 1 reply; 14+ messages in thread From: Salvatore Bonaccorso @ 2025-05-31 8:20 UTC (permalink / raw) To: Andrew Sayers Cc: Antonio Russo, Guido Günther, Luiz Augusto von Dentz, linux-bluetooth Hi, On Sun, May 18, 2025 at 02:12:41PM +0100, Andrew Sayers wrote: > On Sat, May 17, 2025 at 03:12:47PM +0200, Salvatore Bonaccorso wrote: > > On Sun, Jan 26, 2025 at 08:04:27AM -0700, Antonio Russo wrote: > > > Hello, > > > > > > A default installation of bluez results in the systemd user unit > > > mpris-proxy.service being started for all users---including root. > > > This unnecessarily exposes root to any security vulnerability in > > > mpris-proxy. > > > > > > Please consider the following trivial patch that changes this > > > default behavior. > > > > > > Best, > > > Antonio Russo > > > > > > > > > From d9e02494e661109607c073968fa352c1397a1ffb Mon Sep 17 00:00:00 2001 > > > From: Antonio Enrico Russo <aerusso@aerusso.net> > > > Date: Sun, 26 Jan 2025 08:00:26 -0700 > > > Subject: [PATCH] Do not start mpris-proxy for root user > > > > > > A default installation of bluez results in the systemd user unit > > > mpris-proxy.service being started for all users---including root. > > > This unnecessarily exposes root to any security vulnerability in > > > mpris-proxy. > > > > > > Inhibit this default behavior by using ConditionUser=!root. > > > > > > Signed-off-by: Antonio Enrico Russo <aerusso@aerusso.net> > > > --- > > > tools/mpris-proxy.service.in | 1 + > > > 1 file changed, 1 insertion(+) > > > > > > diff --git a/tools/mpris-proxy.service.in b/tools/mpris-proxy.service.in > > > index 5307490..118ed6e 100644 > > > --- a/tools/mpris-proxy.service.in > > > +++ b/tools/mpris-proxy.service.in > > > @@ -4,6 +4,7 @@ Documentation=man:mpris-proxy(1) > > > Wants=dbus.socket > > > After=dbus.socket > > > +ConditionUser=!root > > > [Service] > > > Type=simple > > > -- > > > 2.48.1 > > > > Looping in all primary involved people for adding or touching the > > systemd unit file. Luiz, Guido and Andrew, any opinion on the proposed > > change? > > It sounds like the same logic would apply to all system accounts. > Would "ConditionUser=!@system" make more sense? For details, see > https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#ConditionUser= Guido, what is your take here? The suggestion sounds sensible to me. wonder how we can best move forward here, to have it then as well resolved downstream. Regards, Salvatore ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Do not start mpris-proxy for root user 2025-05-31 8:20 ` Salvatore Bonaccorso @ 2025-05-31 18:17 ` Guido Günther 2025-06-02 0:29 ` Antonio Russo 0 siblings, 1 reply; 14+ messages in thread From: Guido Günther @ 2025-05-31 18:17 UTC (permalink / raw) To: Salvatore Bonaccorso Cc: Andrew Sayers, Antonio Russo, Luiz Augusto von Dentz, linux-bluetooth Hi, On Sat, May 31, 2025 at 10:20:43AM +0200, Salvatore Bonaccorso wrote: > Hi, > > On Sun, May 18, 2025 at 02:12:41PM +0100, Andrew Sayers wrote: > > On Sat, May 17, 2025 at 03:12:47PM +0200, Salvatore Bonaccorso wrote: > > > On Sun, Jan 26, 2025 at 08:04:27AM -0700, Antonio Russo wrote: > > > > Hello, > > > > > > > > A default installation of bluez results in the systemd user unit > > > > mpris-proxy.service being started for all users---including root. > > > > This unnecessarily exposes root to any security vulnerability in > > > > mpris-proxy. > > > > > > > > Please consider the following trivial patch that changes this > > > > default behavior. > > > > > > > > Best, > > > > Antonio Russo > > > > > > > > > > > > From d9e02494e661109607c073968fa352c1397a1ffb Mon Sep 17 00:00:00 2001 > > > > From: Antonio Enrico Russo <aerusso@aerusso.net> > > > > Date: Sun, 26 Jan 2025 08:00:26 -0700 > > > > Subject: [PATCH] Do not start mpris-proxy for root user > > > > > > > > A default installation of bluez results in the systemd user unit > > > > mpris-proxy.service being started for all users---including root. > > > > This unnecessarily exposes root to any security vulnerability in > > > > mpris-proxy. > > > > > > > > Inhibit this default behavior by using ConditionUser=!root. > > > > > > > > Signed-off-by: Antonio Enrico Russo <aerusso@aerusso.net> > > > > --- > > > > tools/mpris-proxy.service.in | 1 + > > > > 1 file changed, 1 insertion(+) > > > > > > > > diff --git a/tools/mpris-proxy.service.in b/tools/mpris-proxy.service.in > > > > index 5307490..118ed6e 100644 > > > > --- a/tools/mpris-proxy.service.in > > > > +++ b/tools/mpris-proxy.service.in > > > > @@ -4,6 +4,7 @@ Documentation=man:mpris-proxy(1) > > > > Wants=dbus.socket > > > > After=dbus.socket > > > > +ConditionUser=!root > > > > [Service] > > > > Type=simple > > > > -- > > > > 2.48.1 > > > > > > Looping in all primary involved people for adding or touching the > > > systemd unit file. Luiz, Guido and Andrew, any opinion on the proposed > > > change? > > > > It sounds like the same logic would apply to all system accounts. > > Would "ConditionUser=!@system" make more sense? For details, see > > https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#ConditionUser= > > Guido, what is your take here? The suggestion sounds sensible to me. Sounds good to me. The system users include users running the login managers which can have more components on e.g. mobile (for emergency calls, etc) but I don't think they'd need the mpris-proxy. > wonder how we can best move forward here, to have it then as well > resolved downstream. I *think* the patch needs a respin by Antonio and once applied we could cherry-pick to Debian? Cheers, -- Guido > > Regards, > Salvatore > ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Do not start mpris-proxy for root user 2025-05-31 18:17 ` Guido Günther @ 2025-06-02 0:29 ` Antonio Russo 2025-06-02 18:18 ` Luiz Augusto von Dentz 0 siblings, 1 reply; 14+ messages in thread From: Antonio Russo @ 2025-06-02 0:29 UTC (permalink / raw) To: linux-bluetooth Cc: Andrew Sayers, Luiz Augusto von Dentz, Salvatore Bonaccorso, Guido Günther On 2025-05-31 12:17, Guido Günther wrote: > > Sounds good to me. The system users include users running the login > managers which can have more components on e.g. mobile (for emergency > calls, etc) but I don't think they'd need the mpris-proxy. > >> wonder how we can best move forward here, to have it then as well >> resolved downstream. > > I *think* the patch needs a respin by Antonio and once applied we could > cherry-pick to Debian? Here's an updated version of the patch with the @system condition. I do not know how to properly acknowledge Andrew Sayers, so please add whatever trailer is appropriate for that. From eabbcf86ddfff98bf15b32e65c8d385d3e85f14c Mon Sep 17 00:00:00 2001 From: Antonio Enrico Russo <aerusso@aerusso.net> Date: Sun, 1 Jun 2025 18:10:49 -0600 Subject: [PATCH] Do not start mpris-proxy for system users A default installation of bluez results in the systemd user unit mpris-proxy.service being started for all users---including root. This unnecessarily exposes system users to any security vulnerabilities in mpris-proxy. Inhibit this default behavior by using ConditionUser=!@system. Signed-off-by: Antonio Enrico Russo <aerusso@aerusso.net> --- tools/mpris-proxy.service.in | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/mpris-proxy.service.in b/tools/mpris-proxy.service.in index c49d255..6ae56c6 100644 --- a/tools/mpris-proxy.service.in +++ b/tools/mpris-proxy.service.in @@ -4,6 +4,7 @@ Documentation=man:mpris-proxy(1) Wants=dbus.socket After=dbus.socket dbus.service +ConditionUser=!@system [Service] Type=simple -- 2.49.0 ^ permalink raw reply related [flat|nested] 14+ messages in thread
* Re: Do not start mpris-proxy for root user 2025-06-02 0:29 ` Antonio Russo @ 2025-06-02 18:18 ` Luiz Augusto von Dentz 2025-06-03 3:37 ` [PATCH] Do not start mpris-proxy for system users Antonio Russo 0 siblings, 1 reply; 14+ messages in thread From: Luiz Augusto von Dentz @ 2025-06-02 18:18 UTC (permalink / raw) To: Antonio Russo Cc: linux-bluetooth, Andrew Sayers, Luiz Augusto von Dentz, Salvatore Bonaccorso, Guido Günther Hi Antonio, On Sun, Jun 1, 2025 at 9:24 PM Antonio Russo <aerusso@aerusso.net> wrote: > > On 2025-05-31 12:17, Guido Günther wrote: > > > > Sounds good to me. The system users include users running the login > > managers which can have more components on e.g. mobile (for emergency > > calls, etc) but I don't think they'd need the mpris-proxy. > > > >> wonder how we can best move forward here, to have it then as well > >> resolved downstream. > > > > I *think* the patch needs a respin by Antonio and once applied we could > > cherry-pick to Debian? > > Here's an updated version of the patch with the @system condition. > > I do not know how to properly acknowledge Andrew Sayers, so please add > whatever trailer is appropriate for that. > > From eabbcf86ddfff98bf15b32e65c8d385d3e85f14c Mon Sep 17 00:00:00 2001 > From: Antonio Enrico Russo <aerusso@aerusso.net> > Date: Sun, 1 Jun 2025 18:10:49 -0600 > Subject: [PATCH] Do not start mpris-proxy for system users > > A default installation of bluez results in the systemd user unit > mpris-proxy.service being started for all users---including root. > This unnecessarily exposes system users to any security > vulnerabilities in mpris-proxy. > > Inhibit this default behavior by using ConditionUser=!@system. > > Signed-off-by: Antonio Enrico Russo <aerusso@aerusso.net> > --- > tools/mpris-proxy.service.in | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/tools/mpris-proxy.service.in b/tools/mpris-proxy.service.in > index c49d255..6ae56c6 100644 > --- a/tools/mpris-proxy.service.in > +++ b/tools/mpris-proxy.service.in > @@ -4,6 +4,7 @@ Documentation=man:mpris-proxy(1) > > Wants=dbus.socket > After=dbus.socket dbus.service > +ConditionUser=!@system > > [Service] > Type=simple > -- > 2.49.0 Can you send a proper patch with git format-patch + git send-email? Embedding it on another email don't seem to cut it for git am: Applying: Do not start mpris-proxy for root user error: corrupt patch at line 16 Patch failed at 0001 Do not start mpris-proxy for root user > -- Luiz Augusto von Dentz ^ permalink raw reply [flat|nested] 14+ messages in thread
* [PATCH] Do not start mpris-proxy for system users 2025-06-02 18:18 ` Luiz Augusto von Dentz @ 2025-06-03 3:37 ` Antonio Russo 2025-06-03 5:10 ` bluez.test.bot ` (4 more replies) 0 siblings, 5 replies; 14+ messages in thread From: Antonio Russo @ 2025-06-03 3:37 UTC (permalink / raw) To: linux-bluetooth Cc: Luiz Augusto von Dentz, Andrew Sayers, Luiz Augusto von Dentz, Salvatore Bonaccorso, Guido Günther A default installation of bluez results in the systemd user unit mpris-proxy.service being started for all users---including root. This unnecessarily exposes system users to any security vulnerabilities in mpris-proxy. Inhibit this default behavior by using ConditionUser=!@system. Signed-off-by: Antonio Enrico Russo <aerusso@aerusso.net> --- tools/mpris-proxy.service.in | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/mpris-proxy.service.in b/tools/mpris-proxy.service.in index c49d255..6ae56c6 100644 --- a/tools/mpris-proxy.service.in +++ b/tools/mpris-proxy.service.in @@ -4,6 +4,7 @@ Documentation=man:mpris-proxy(1) Wants=dbus.socket After=dbus.socket dbus.service +ConditionUser=!@system [Service] Type=simple -- 2.49.0 ^ permalink raw reply related [flat|nested] 14+ messages in thread
* RE: Do not start mpris-proxy for system users 2025-06-03 3:37 ` [PATCH] Do not start mpris-proxy for system users Antonio Russo @ 2025-06-03 5:10 ` bluez.test.bot 2025-06-03 6:59 ` [PATCH] " Guido Günther ` (3 subsequent siblings) 4 siblings, 0 replies; 14+ messages in thread From: bluez.test.bot @ 2025-06-03 5:10 UTC (permalink / raw) To: linux-bluetooth, aerusso [-- Attachment #1: Type: text/plain, Size: 1261 bytes --] This is automated email and please do not reply to this email! Dear submitter, Thank you for submitting the patches to the linux bluetooth mailing list. This is a CI test results with your patch series: PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=968153 ---Test result--- Test Summary: CheckPatch PENDING 0.26 seconds GitLint PENDING 0.22 seconds BuildEll PASS 20.39 seconds BluezMake PASS 2746.97 seconds MakeCheck PASS 20.67 seconds MakeDistcheck PASS 198.66 seconds CheckValgrind PASS 275.81 seconds CheckSmatch PASS 302.33 seconds bluezmakeextell PASS 127.98 seconds IncrementalBuild PENDING 0.26 seconds ScanBuild PASS 906.58 seconds Details ############################## Test: CheckPatch - PENDING Desc: Run checkpatch.pl script Output: ############################## Test: GitLint - PENDING Desc: Run gitlint Output: ############################## Test: IncrementalBuild - PENDING Desc: Incremental build with the patches in the series Output: --- Regards, Linux Bluetooth ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH] Do not start mpris-proxy for system users 2025-06-03 3:37 ` [PATCH] Do not start mpris-proxy for system users Antonio Russo 2025-06-03 5:10 ` bluez.test.bot @ 2025-06-03 6:59 ` Guido Günther 2025-06-03 7:16 ` Paul Menzel ` (2 subsequent siblings) 4 siblings, 0 replies; 14+ messages in thread From: Guido Günther @ 2025-06-03 6:59 UTC (permalink / raw) To: Antonio Russo Cc: linux-bluetooth, Luiz Augusto von Dentz, Andrew Sayers, Luiz Augusto von Dentz, Salvatore Bonaccorso Hi, On Mon, Jun 02, 2025 at 09:37:20PM -0600, Antonio Russo wrote: > A default installation of bluez results in the systemd user unit > mpris-proxy.service being started for all users---including root. > This unnecessarily exposes system users to any security > vulnerabilities in mpris-proxy. > > Inhibit this default behavior by using ConditionUser=!@system. > > Signed-off-by: Antonio Enrico Russo <aerusso@aerusso.net> > --- > tools/mpris-proxy.service.in | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/tools/mpris-proxy.service.in b/tools/mpris-proxy.service.in > index c49d255..6ae56c6 100644 > --- a/tools/mpris-proxy.service.in > +++ b/tools/mpris-proxy.service.in > @@ -4,6 +4,7 @@ Documentation=man:mpris-proxy(1) > > Wants=dbus.socket > After=dbus.socket dbus.service > +ConditionUser=!@system > > [Service] > Type=simple Reviewed-by: Guido Günther <agx@sigxcpu.org> Cheers, -- Guido > -- > 2.49.0 > ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH] Do not start mpris-proxy for system users 2025-06-03 3:37 ` [PATCH] Do not start mpris-proxy for system users Antonio Russo 2025-06-03 5:10 ` bluez.test.bot 2025-06-03 6:59 ` [PATCH] " Guido Günther @ 2025-06-03 7:16 ` Paul Menzel 2025-06-03 14:35 ` Andrew Sayers 2025-06-03 17:30 ` patchwork-bot+bluetooth 4 siblings, 0 replies; 14+ messages in thread From: Paul Menzel @ 2025-06-03 7:16 UTC (permalink / raw) To: Antonio Russo Cc: linux-bluetooth, Luiz Augusto von Dentz, Andrew Sayers, Luiz Augusto von Dentz, Salvatore Bonaccorso, Guido Günther Dear Antonio, Thank you for your patch. Am 03.06.25 um 05:37 schrieb Antonio Russo: > A default installation of bluez results in the systemd user unit > mpris-proxy.service being started for all users---including root. > This unnecessarily exposes system users to any security > vulnerabilities in mpris-proxy. > > Inhibit this default behavior by using ConditionUser=!@system. > > Signed-off-by: Antonio Enrico Russo <aerusso@aerusso.net> > --- > tools/mpris-proxy.service.in | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/tools/mpris-proxy.service.in b/tools/mpris-proxy.service.in > index c49d255..6ae56c6 100644 > --- a/tools/mpris-proxy.service.in > +++ b/tools/mpris-proxy.service.in > @@ -4,6 +4,7 @@ Documentation=man:mpris-proxy(1) > > Wants=dbus.socket > After=dbus.socket dbus.service > +ConditionUser=!@system > > [Service] > Type=simple Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de> Kind regards, Paul ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH] Do not start mpris-proxy for system users 2025-06-03 3:37 ` [PATCH] Do not start mpris-proxy for system users Antonio Russo ` (2 preceding siblings ...) 2025-06-03 7:16 ` Paul Menzel @ 2025-06-03 14:35 ` Andrew Sayers 2025-06-03 17:30 ` patchwork-bot+bluetooth 4 siblings, 0 replies; 14+ messages in thread From: Andrew Sayers @ 2025-06-03 14:35 UTC (permalink / raw) To: Antonio Russo Cc: linux-bluetooth, Luiz Augusto von Dentz, Luiz Augusto von Dentz, Salvatore Bonaccorso, Guido Günther On Mon, Jun 02, 2025 at 09:37:20PM -0600, Antonio Russo wrote: > A default installation of bluez results in the systemd user unit > mpris-proxy.service being started for all users---including root. > This unnecessarily exposes system users to any security > vulnerabilities in mpris-proxy. > > Inhibit this default behavior by using ConditionUser=!@system. > > Signed-off-by: Antonio Enrico Russo <aerusso@aerusso.net> > --- > tools/mpris-proxy.service.in | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/tools/mpris-proxy.service.in b/tools/mpris-proxy.service.in > index c49d255..6ae56c6 100644 > --- a/tools/mpris-proxy.service.in > +++ b/tools/mpris-proxy.service.in > @@ -4,6 +4,7 @@ Documentation=man:mpris-proxy(1) > > Wants=dbus.socket > After=dbus.socket dbus.service > +ConditionUser=!@system > > [Service] > Type=simple Reviewed-by: Andrew Sayers <kernel.org@pileofstuff.org> There was a question earlier in the thread about how to acknowledge me. I believe the protocol is to use "Suggested-By:" when I haven't replied, and I assume the "Reviewed-By" line *replaces* it now I have. But I could be wrong, and don't personally have any important requirements. > -- > 2.49.0 > > ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH] Do not start mpris-proxy for system users 2025-06-03 3:37 ` [PATCH] Do not start mpris-proxy for system users Antonio Russo ` (3 preceding siblings ...) 2025-06-03 14:35 ` Andrew Sayers @ 2025-06-03 17:30 ` patchwork-bot+bluetooth 4 siblings, 0 replies; 14+ messages in thread From: patchwork-bot+bluetooth @ 2025-06-03 17:30 UTC (permalink / raw) To: Antonio Russo Cc: linux-bluetooth, luiz.dentz, kernel.org, luiz.von.dentz, carnil, agx Hello: This patch was applied to bluetooth/bluez.git (master) by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>: On Mon, 2 Jun 2025 21:37:20 -0600 you wrote: > A default installation of bluez results in the systemd user unit > mpris-proxy.service being started for all users---including root. > This unnecessarily exposes system users to any security > vulnerabilities in mpris-proxy. > > Inhibit this default behavior by using ConditionUser=!@system. > > [...] Here is the summary with links: - Do not start mpris-proxy for system users https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=99861c249c86 You are awesome, thank you! -- Deet-doot-dot, I am a bot. https://korg.docs.kernel.org/patchwork/pwbot.html ^ permalink raw reply [flat|nested] 14+ messages in thread
end of thread, other threads:[~2025-06-03 17:29 UTC | newest] Thread overview: 14+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2025-01-26 15:04 Do not start mpris-proxy for root user Antonio Russo 2025-05-17 13:12 ` Salvatore Bonaccorso 2025-05-17 14:06 ` Guido Günther 2025-05-18 13:12 ` Andrew Sayers 2025-05-31 8:20 ` Salvatore Bonaccorso 2025-05-31 18:17 ` Guido Günther 2025-06-02 0:29 ` Antonio Russo 2025-06-02 18:18 ` Luiz Augusto von Dentz 2025-06-03 3:37 ` [PATCH] Do not start mpris-proxy for system users Antonio Russo 2025-06-03 5:10 ` bluez.test.bot 2025-06-03 6:59 ` [PATCH] " Guido Günther 2025-06-03 7:16 ` Paul Menzel 2025-06-03 14:35 ` Andrew Sayers 2025-06-03 17:30 ` patchwork-bot+bluetooth
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox