Re: [linux-audio-user] running jack as non-root?

New Message Reply About this list Date view Thread view Subject view Author view Other groups

Subject: Re: [linux-audio-user] running jack as non-root?
From: Hasse Hagen Johansen (hhj_AT_musikcheck.dk)
Date: Sat Feb 28 2004 - 18:47:42 EET


>>>>> "Jack" == Jack O'Quin <joq_AT_io.com> writes:

>> Hmm. There is some discussion if the LSM is actually very
>> secure. That why RSBAC is not using/is implemented as an LSM,
>> but of course there is always discussions...

    Jack> All the complaints I've seen about LSM were rather vague,
    Jack> and mostly seem motivated by discontent that someone else's
    Jack> security hooks got introduced into the mainline kernel. The
    Jack> current hooks are quite adequate for my simple needs.

    Jack> Do you know of any specific security problems that I should
    Jack> watch out for? None have been mentioned on the
    Jack> linux-security-module mailing list.

I don't know about any security bugs for LSM. I haven't even tried
it. (As I mentioned I cannot upgrade to 2.6 kernel at the moment)

But I don't think the arguments a vague...http://rsbac.org/lsm.htm

>> I was actualy thinking about if I could use EA/ACL and/or rsbac
>> or grsecurity, for granting specific users running specific
>> executables the Realtime capability

    Jack> That would be nice. How would you propose to go about it?

    Jack> To have any traction as a general solution for Linux Audio,
    Jack> a solution needs to be based on generally-available code.
    Jack> There is no point in telling users or distibutions: "apply
    Jack> this 30,000-line patch to your kernel, then tag the
    Jack> following 127 files with Access Control Lists." It won't
    Jack> happen. -- joq

I agree about that it should be easy, or else it will not be used, but
you have to use some kind of ACL's to grant specific Capabilities to
specific executables depeding on which user runs the executable.

Sorry about starting this discussion. I was only interested how people
used jack being nonroot. I just thought that someone maybe used
rsbac,grsecurity, or selinux to do this.

/Hasse


New Message Reply About this list Date view Thread view Subject view Author view Other groups

This archive was generated by hypermail 2b28 : Sat Feb 28 2004 - 18:45:46 EET