Re: [linux-audio-dev] Please test the RT rlimits patch for audio

From: Jonathan Woithe <jwoithe@email-addr-hidden>
Date: Mon Jun 06 2005 - 10:15:06 EEST

Jack, thanks for your comments and feedback.

> > Sorry, no homepage yet. Read the enclosed README and manpage for full
> > details. In short, a simple text file /etc/set_rtlimits.conf is used to
> > configure which users (or groups) can run which programs with elevated
> > realtime/nice priorities. The maximum priorities requestable is limited on
> > a user+program basis, so a single user or group can have different
> > maximum priorities for different programs if this is desired.
>
> Your group support is not very useful, yet, because it only checks the
> current group.

True, but group support wasn't really my prime objective at this point in
time (see below).

> It would help a lot to also check supplementary group membership

Yes. There was also the question of time - I didn't have much. Allowing
the name spec to be a group name was basically a quick hack added at the
last minute as an afterthought. As time permits I'll look into adding
support for supplementary groups but I make no promises.

At the end of the day I figured that in most cases, this kind of audio
software (and set_rtlimits itself) would be used mainly on systems with a
small number of users, so there was no hugely pressing need to support
groups. Having said that, it's not a bad idea if I can find the time
to add it.

Another thing I'm thinking of adding is the ability to list a number of
different binaries in one entry (and maybe even allowing alias definitions
in a similar way to sudo). This would help cut down the size of the config
file and perhaps make it easier to manage.

> (There may be a problem with this: I am not certain that supplementary
> groups are inherited correctly by setuid programs.)

It should be fairly easy to test.

> Also, the group namespace is separate from the user namespace

Yes, I know. Again, allowing groupnames to be resolved was a last-minute
add-on and the lack of differentiation between a group and user name is
evidence of this. I knew about this little problem but didn't have time
to do anything about it at the time.

> I believe PAM uses the `@group' notation to distinguish the two (not
> that PAM is a very good example of anything).

:-)
@group is as good an idea as anything else I can think of at the moment.

Regards
  jonathan
Received on Mon Jun 6 12:15:07 2005

This archive was generated by hypermail 2.1.8 : Mon Jun 06 2005 - 12:15:08 EEST