From 760cb1e418f9749ac942d8435a3f7273a1679345 Mon Sep 17 00:00:00 2001 From: Luca Boccassi Date: Mon, 20 Mar 2023 01:48:06 +0000 Subject: [PATCH] systemd: start as the D-Bus user/group, rather than root When starting as root files in /proc/self/fdinfo/ will be owned as root and set to 400, so we cannot read them. Nowadays it is not necessary to start as root when running under systemd, so just add User/Group with the configured user to the system unit. If libaudit support is enabled, add AmbientCapabilities=CAP_AUDIT_WRITE so that we can still write to the audit log. Signed-off-by: Luca Boccassi --- bus/dbus.service.in | 3 +++ configure.ac | 3 +++ meson.build | 2 ++ 3 files changed, 8 insertions(+) diff --git a/bus/dbus.service.in b/bus/dbus.service.in index 3713810b..1921db8f 100644 --- a/bus/dbus.service.in +++ b/bus/dbus.service.in @@ -9,3 +9,6 @@ NotifyAccess=main ExecStart=@EXPANDED_BINDIR@/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only ExecReload=@EXPANDED_BINDIR@/dbus-send --print-reply --system --type=method_call --dest=org.freedesktop.DBus / org.freedesktop.DBus.ReloadConfig OOMScoreAdjust=-900 +User=@DBUS_USER@ +Group=@DBUS_USER@ +@AMBIENT_CAPS@ diff --git a/configure.ac b/configure.ac index 08c581e6..f6ce9e6c 100644 --- a/configure.ac +++ b/configure.ac @@ -956,6 +956,9 @@ AM_CONDITIONAL(HAVE_LIBAUDIT, test x$have_libaudit = xyes) if test x$have_libaudit = xyes ; then SELINUX_LIBS="$SELINUX_LIBS -laudit -lcap-ng" AC_DEFINE(HAVE_LIBAUDIT,1,[audit daemon SELinux support]) + # For the systemd system unit + AMBIENT_CAPS="AmbientCapabilities=CAP_AUDIT_WRITE" + AC_SUBST(AMBIENT_CAPS) fi AC_SUBST([SELINUX_LIBS]) diff --git a/meson.build b/meson.build index 433a333d..33120198 100644 --- a/meson.build +++ b/meson.build @@ -549,6 +549,8 @@ else if get_option('libaudit').enabled() and not have_libaudit error('libaudit support requested but not found') endif + # For the systemd system unit + data_config.set('AMBIENT_CAPS', 'AmbientCapabilities=CAP_AUDIT_WRITE') endif config.set('HAVE_LIBAUDIT', have_libaudit)