Re: sound executables permissions
On Mon, 27 Jan 1997 21:18:22 +0200 Riku Voipio (neurochp@nowhere.net)
wrote:
> I've been wondering a little about how to set audio permissions up.
> On my own machine, I've been using sound applications by simply
> chmod:ing /dev/audio and friend world usable.
>
> Is there any policy on how we should set up sound apps?
There is no special policy so far.
> Anyway, there exists a group called "audio", which owns the audio
> devices. I'm little confused by the permissions of *nix:ses, so I'm
> not sure on how to do things. All other audio apps are standard
> executables, but I'm not quite satisfied with that:
>
> Is there anything that would be lost, if we'd make sound executables
> owned by audio, and just ask mainters to put audio app users in group
> audio? Or going even far and making sound apps audio sgid? Afterall,
> is there anything bad a cracker could do in a audio sgid shell?
Probably nothing.
There's a group audio because some people consider annoying that an other person can play a sound file remotely when they're in front of their screen (don't tell me you've never done this !).
Depending on your local policy, you can:
- make the audio device world-writable/readable, enabling anyone to play sound.
- add the persons which are supposed to log on the console to the group audio.
But what would IMHO be a better thing would be to add a person to the audio group when it logs on the console or with xdm. There should be a /etc/logingroups file or whatever, which should say what supplementary groups one should get when logged on a device.
I know that Sun an HP use a /etc/logindevperm which chowns some devices depending on which terminal was used for login, but I don't like this because in Linux, several persons can be logged on the console at the same time.
But this is more ``secure'' than my proposed approach (because once you get the supplemental group, you can create a setgid shell to keep this group).
What do you think about implementing this in Debian ?
Phil.
--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com
Reply to: