Re: Running sndiod as user sndiod on Arch Linux

From: Edward Wandasiewicz <w13ntd_at_gmail.com>
Date: Mon Sep 18 2017 - 11:44:35 CEST
Does the illustration below, explain why /usr/bin/sndiod is run as user
"root" or a local user, and never as user "sndiod"?

#
# Lets have a look at the directories created in /tmp
# when running sndiod as user { alison, root, sndiod }
#

#
# Run sndiod as user=alison with id 1000
#

$ ls -la /tmp/aucat-1000
total 0
drwx------ 2 alison alison  60 Sep 18 08:10 .
drwxrwxrwt 9 root   root   240 Sep 18 08:10 ..
srw-rw-rw- 1 alison alison   0 Sep 18 08:10 aucat0

#
# Run sndiod as user=root
#

$ ls -la /tmp
drwxr-xr-x  2 root   root     60 Sep 18 08:55 aucat		# _MARK_1.0

$ ls -la /tmp/aucat
total 0
drwxr-xr-x 2 root root  60 Sep 18 08:18 .
drwxrwxrwt 9 root root 220 Sep 18 08:18 ..
srw-rw-rw- 1 root root   0 Sep 18 08:18 aucat0			# _MARK_1.1

#
# Run sndiod as user=sndiod via systemctl and not "sudo -u sndiod"
#
# user sndiod is running "/usr/bin/sndiod -dd -f rsnd/1"
#

$ sudo systemctl restart sndiod.service

$ ls -la /tmp
drwx------  2 sndiod audio    60 Sep 18 08:22 aucat-991		# _MARK_2.0

$ sudo ls -la /tmp/aucat-991/
total 0
drwx------ 2 sndiod audio  60 Sep 18 08:22 .
drwxrwxrwt 9 root   root  220 Sep 18 08:22 ..
srw-rw-rw- 1 sndiod audio   0 Sep 18 08:22 aucat0		# _MARK_2.1

#
# Run an strace on aucat as our local user
#

$ strace aucat -f snd/0 -i /use/share/sounds/alsa/Side_Right.wav

#
# BINGO - file can't be opened
#

connect(4, {sa_family=AF_UNIX, sun_path="/tmp/aucat-1000/aucat0"},
110) = -1 ENOENT (No such file or directory)
connect(4, {sa_family=AF_UNIX, sun_path="/tmp/aucat/aucat0"}, 110) =
-1 ENOENT (No such file or directory)
close(4)                                = 0
write(2, "snd/0: couldn't open audio devic"..., 34snd/0: couldn't open
audio device

#
# Running sndiod as user sndiod, the local user never gets to open
/tmp/aucat-991/aucat0
# no wonder....
# Lets try a symbolic link from /tmp/aucat to /tmp/aucat-991, and try an strace
#

$ sudo ln -fs aucat-991 aucat

#
# Run an strace with aucat symbolic linked to aucat-_ID_SNDIO_USER_
#

$ strace aucat -f snd/0 -i /use/share/sounds/alsa/Side_Right.wav

connect(4, {sa_family=AF_UNIX, sun_path="/tmp/aucat-1000/aucat0"},
110) = -1 ENOENT (No such file or directory)
connect(4, {sa_family=AF_UNIX, sun_path="/tmp/aucat/aucat0"}, 110) =
-1 EACCES (Permission denied)
close(4)                                = 0
write(2, "snd/0: couldn't open audio devic"..., 34snd/0: couldn't open
audio device

#
# What's different between running as root, and sndiod?
# File aucat0 has the same properties, srw-rw-rw- , see above
_MARK_1.1 & _MARK_2.1
# Lets make _MARK_2.0 the same as _MARK_1.0
#
# Lets add {g, o} r+x permissions to /tmp/aucat-991
# the same properties as /tmp/aucat - sndiod running as root
# and add local users to the group audio
#

$ sudo chmod g+rx aucat-991
$ sudo chmod o+rx aucat-991

$ ls -la /tmp

drwxrw-rw-  2 sndiod audio    60 Sep 18 08:22 aucat-991

$ id

uid=1000(alison) gid=1000(alison) groups=1000(alison),10(wheel),990(audio)

#
# Let's give it a go...
#

$ strace aucat -f snd/0 -i /use/share/sounds/alsa/Side_Right.wav

connect(4, {sa_family=AF_UNIX, sun_path="/tmp/aucat-1000/aucat0"},
110) = -1 ENOENT (No such file or directory)
connect(4, {sa_family=AF_UNIX, sun_path="/tmp/aucat/aucat0"}, 110) = 0
getuid()                                = 1000
geteuid()                               = 1000
getgid()                                = 1000
getegid()                               = 1000
openat(AT_FDCWD, "/home/alison/.aucat_cookie", O_RDONLY) = 5

#
# WE HAVE LIFT OFF BABY!!!
#

$ ls -la /tmp
lrwxrwxrwx  1 root   root      9 Sep 18 09:12 aucat -> aucat-991
drwxr-xr-x  2 sndiod audio    60 Sep 18 09:10 aucat-991

Question: Do we run systemctl sndiod.service as user "sndiod"

- where we would have to add an extra file to connect to - aucat of user sndiod
- and amend it's directory properties accordingly, with +rx
- and users would need to be a member of group audio

Question: or run systemctl sndiod.service as user "roor"

- no changes required

$ grep -A4 Service /usr/lib/systemd/system/sndiod.service

[Service]
User=sndiod
EnvironmentFile=/etc/conf.d/sndiod
ExecStart=/usr/bin/sndiod -dd $OPTS


On Mon, Sep 18, 2017 at 5:02 AM, Alexandre Ratchov <alex@caoua.org> wrote:

> On Sun, Sep 17, 2017 at 07:48:30PM +0000, Edward Wandasiewicz wrote:
> >
> > $ sudo sndiod -dddd -f rsnd/1
> >
> > But if I try to run it via systemd with user=sndiod, it refuses to open
> the
> > device snd/0 if I run, as a local user
>
> Hi,
>
> I don't understand systemd very well, but the shared sndiod daemon
> must be started as root.  It will initialize and switch to the
> unpriviledged 'sndiod' user. As audio and MIDI devices are opened only
> when in use, the 'sndiod' user must have permissions to open them.
>
Received on Mon, 18 Sep 2017 09:44:35 +0000

This archive was generated by hypermail 2.1.8 : Wed Nov 08 2017 - 16:31:34 CET