Subject: Re: [linux-audio-dev] mjsucap - capability handling
From: Tommi Ilmonen (tilmonen_AT_cc.hut.fi)
Date: Fri May 04 2001 - 08:57:56 EEST
On Thu, 3 May 2001, Paul Davis wrote:
> >This is a half-announcement. I hope someone finds this useful.
> >
> >Every sometime people come up ith the point that real-time apps should
> >not need root-proviliges and something should be done about it.
> >
>
> what do you think of modifying this so that it works a bit more sudo?
You mean like list of allowed users in /etc/mjsucaprc or something like
that?
I thought about it, but: It would be better to just use sudo directly and
keep mjsucap as simple as possible. So: wrap mjsucap behind sudo. I know
this makes things even more indirect, but writing setuid-root apps is a
*total* pain in the ass -- they have to be debugged 50 times more
thoroughly than normal apps. And sudo as already been debugged more than
little.
PS. Running mjsucap behind sudo might require changes to mjsucap. I fear
the way mjsucap gets its hands on the user id will break if more
indirection is included, but I believe this is easier to fix than to make
a configuration file system. There are some other ways to do this as well,
but at least we know one way to get this done reliably.
Tommi.
This archive was generated by hypermail 2b28 : Fri May 04 2001 - 09:35:27 EEST