From 415e3e43499ac73bbf223c2eba6fd4abf8c31345 Mon Sep 17 00:00:00 2001 From: Adar Nimrod <nimrod@shore.co.il> Date: Thu, 21 Jan 2021 19:52:44 +0200 Subject: [PATCH] Secure groups for Kodi. Don't grant the groups globally, instead grant specific services specific groups as needed. --- roles/kodi/files/kodi.service | 2 ++ roles/kodi/files/xorg.service | 2 ++ roles/kodi/tasks/main.yml | 6 ------ 3 files changed, 4 insertions(+), 6 deletions(-) diff --git a/roles/kodi/files/kodi.service b/roles/kodi/files/kodi.service index 7ca8002..932451e 100644 --- a/roles/kodi/files/kodi.service +++ b/roles/kodi/files/kodi.service @@ -15,6 +15,8 @@ Before=graphical.target [Service] User=kodi PAMName=login +SupplementaryGroups=audio +SupplementaryGroups=cdrom Environment="DISPLAY=:0" ExecStart=flatpak run --device=all --filesystem=/etc/group --filesystem=/srv/library tv.kodi.Kodi --standalone --windowing=x11 -fs Type=simple diff --git a/roles/kodi/files/xorg.service b/roles/kodi/files/xorg.service index cc0ae53..3a697c3 100644 --- a/roles/kodi/files/xorg.service +++ b/roles/kodi/files/xorg.service @@ -14,7 +14,9 @@ ConditionPathExists=/dev/tty7 [Service] User=kodi +SupplementaryGroups=input SupplementaryGroups=tty +SupplementaryGroups=video PAMName=login ExecStart=startx Type=simple diff --git a/roles/kodi/tasks/main.yml b/roles/kodi/tasks/main.yml index 1c858da..e0d9820 100644 --- a/roles/kodi/tasks/main.yml +++ b/roles/kodi/tasks/main.yml @@ -74,12 +74,6 @@ - name: Create user user: create_home: true - groups: - - audio - - cdrom - - input - - plugdev - - video home: /var/lib/kodi name: kodi password: '!' # pragma: allowlist secret -- GitLab