Subject: [linux-audio-dev] Re: linux-audio-dev Digest, Vol 2, Issue 24
From: Kjetil Svalastog Matheussen (k.s.matheussen_AT_notam02.no)
Date: Sun Nov 16 2003 - 16:18:47 EET
"Jack O'Quin":
>
> I've been thinking about ways to use this feature to improve and
> simplify the current security situation for Linux audio. No
> conclusions, but here are some thoughts for discussion:
>
> (1) There should a simple way for the sysadmin to reliably disallow
> realtime privileges. One way to allow (or prevent) access to
> realtime privileges for any program is via a sysctl global variable.
> Of course, loading the kernel extension is a privileged operation,
> anyway. But, I prefer some positive means of blocking it.
>
> (2) Using sysctl, set a group id (like `audio') for which realtime
> privileges are automatically granted. Then, we could just install
> realtime apps with `setgid audio'. This seems much better than
> opening things up to *any* application. And, audio applications
> would not need root privileges any more. This would be a rather big
> improvement over the current jackstart/jackd situation.
>
> (3) We could also define a default realtime group (gid 0 maybe),
> since `audio' probably does not exist on many distributions. IIUC,
> this is originally a Debian idea. I don't know how widely it has
> been adopted. I like it and think it should become a universal
> Linux convention, allowing access to the sound card as well as
> realtime privileges.
>
What about this one:
(4) Let the user that is currently physical logged in to the machine
get realtime privileges.
--
This archive was generated by hypermail 2b28 : Sun Nov 16 2003 - 16:16:42 EET