Package: squeezelite
Version: 1.6.4-1+b1
Severity: important
Tags: security
Dear maintainer,
the squeezelite Debian package currently runs squeezelite as root.
Considering that squeezelite deals with arbitrary audio streams received
from the network this is only looking for trouble and unnecessarily so:
it works just fine when run as a regular user as long as that user is in
the audio group. I've set severity to important as this is a potential
security issue.
I have applied the following changes on my machines:
# adduser --system --disabled-password --disabled-login --home
/var/lib/squeezelite --no-create-home --force-badname --group _squeezelite
# usermod -a -G audio _squeezelite
# mkdir /var/lib/squeezelite
# chown _squeezelite._squeezelite /var/lib/squeezelite
The corresponding changes to the init script are attached. The username
follows the _${packagename} scheme [1]. I've been meaning to provide a
postinst script for the user/group handling but still haven't got around
to it and did not want to delay this further. I suggest following
Vincent Bernat's guide at [2].
The only user-visible consequence is that, e.g., when using an ALSA
equalizer one needs to run alsamixer as _squeezelite like so:
# su _squeezelite -s /bin/bash -c 'alsamixer -D equal'
Finally, let me thank you for your work packaging squeezelite for
Debian! I installed the second squeezelite node on my network this past
weekend and they are both working like a charm!
Cheers,
Rene
[1]
https://vincent.bernat.im/en/blog/2016-pragmatic-debian-packaging#fn-naming
[2]
https://vincent.bernat.im/en/blog/2016-pragmatic-debian-packaging#dedicated-user
--- debian/squeezelite.squeezelite.init.orig 2017-08-02 19:48:03.600249917 +0200
+++ debian/squeezelite.squeezelite.init 2017-08-02 20:08:43.160206073 +0200
@@ -18,6 +18,7 @@
DAEMON=/usr/bin/$NAME
PIDFILE=/run/$NAME.pid
SCRIPTNAME=/etc/init.d/$NAME
+DAEMONUSER=_squeezelite
# Exit if the package is not installed
[ -x "$DAEMON" ] || exit 0
@@ -65,7 +66,7 @@
start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON \
--test > /dev/null || return 1
start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON \
- --background --make-pidfile -- $DAEMON_ARGS || return 2
+ --chuid $DAEMONUSER --background --make-pidfile -- $DAEMON_ARGS || return 2
}
#
