Hi, On 18 Jan 2026 at 11:42:34, Samuel Thibault wrote: > Hello, > > Carles Pina i Estany, le dim. 18 janv. 2026 07:54:47 +0100, a ecrit: > > carles@pinux:~$ telnet localhost 1314 > > Trying ::1... > > Connection failed: S’ha refusat la connexió > > Trying 127.0.0.1... > > Connected to localhost. > > Escape character is '^]'. > > (system "whoami > /tmp/festival-whoami2.txt") > > LP > > nil > > ft_StUfF_keyOK > > Ah, festival people didn't restrict what you can do with it?
nope. On the other hand, they restrict (but I haven't checked anything else) connecting from outside localhost/127.0.0.1. So, just a plain "festival --server" and connecting from antoher device in the local network: carles@pinux:[systemd-socket-activation]~/git/debian/festival/debian$ festival --server server Fri Jan 23 06:56:52 2026 : Festival server started on port 1314 client(1) Fri Jan 23 06:57:02 2026 : rejected from 192.168.1.101 not in access list it reaches festival but it rejects connections > I guess they assumed it wouldn't be run as a system service, but still, > exposing as a tcp port means any user on the system can access this. > > The systemd unit recently introduced at least shrinks down the > permissions to the dynamic user permissions, so it actually reduces > the concern to "somebody that has localhost tcp access has access as > anonymous user", which is way better than "somebody that has localhost > tcp access has access as whatever user who happened to start festival." Well, this is thanks to the "festival --server" rejecting connections from outside localhost. If I enable the socket activation and *after* "festival --server" runs: festival is reachable from outside localhost. But it drops the connections. I see the clients reaching it via: carles@pinux:~$ sudo journalctl -u festival -f I'll check how to make festival binding only to localhost (I think that some options could be passed to "festival --server" but I don't know if this is possible...) -- Carles Pina i Estany https://carles.pina.cat | [email protected] | [email protected]
signature.asc
Description: PGP signature
