Skip to content
Snippets Groups Projects
Commit 415e3e43 authored by nimrod's avatar nimrod
Browse files

Secure groups for Kodi. 

Don't grant the groups globally, instead grant specific services
specific groups as needed.
parent 8ff5d38c
Branches
No related tags found
No related merge requests found
Pipeline #511 passed
Stage: test
Show whitespace changes
Inline Side-by-side
roles/kodi/files/kodi.service
+ 2
0
View file @ 415e3e43
...@@ -15,6 +15,8 @@ Before=graphical.target ...@@ -15,6 +15,8 @@ Before=graphical.target
[Service] [Service]
User=kodi User=kodi
PAMName=login PAMName=login
SupplementaryGroups=audio
SupplementaryGroups=cdrom
Environment="DISPLAY=:0" Environment="DISPLAY=:0"
ExecStart=flatpak run --device=all --filesystem=/etc/group --filesystem=/srv/library tv.kodi.Kodi --standalone --windowing=x11 -fs ExecStart=flatpak run --device=all --filesystem=/etc/group --filesystem=/srv/library tv.kodi.Kodi --standalone --windowing=x11 -fs
Type=simple Type=simple
......
roles/kodi/files/xorg.service
+ 2
0
View file @ 415e3e43
...@@ -14,7 +14,9 @@ ConditionPathExists=/dev/tty7 ...@@ -14,7 +14,9 @@ ConditionPathExists=/dev/tty7
[Service] [Service]
User=kodi User=kodi
SupplementaryGroups=input
SupplementaryGroups=tty SupplementaryGroups=tty
SupplementaryGroups=video
PAMName=login PAMName=login
ExecStart=startx ExecStart=startx
Type=simple Type=simple
......
roles/kodi/tasks/main.yml
+ 0
6
View file @ 415e3e43
...@@ -74,12 +74,6 @@ ...@@ -74,12 +74,6 @@
- name: Create user - name: Create user
user: user:
create_home: true create_home: true
groups:
- audio
- cdrom
- input
- plugdev
- video
home: /var/lib/kodi home: /var/lib/kodi
name: kodi name: kodi
password: '!' # pragma: allowlist secret password: '!' # pragma: allowlist secret
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment