Audio Apps Mini-Policy, v0.1
This is a follow up to the jackd/ dpkg-statoverride thread, and a
request for comment on the below. Once informally vetted here, I will
post to debiam-multimedia.
Input appreciated
Zen
---
Title: Audio Apps Mini Policy
Authors: Zenaan Harkness
Version: 0.1
Date: 2003-10-28
Applicability: Audio apps requiring realtime scheduling (or other root)
privileges to operate effectively.
Policy:
Audio applications or applets (ie. executable files) requiring realtime
privileges should be installed as follows:
- user = root
- group = audio
- permissions
- SUID root
- have a debconf question asking to allow/ deny this
- [debconf question "importance level"??]
- user = read, write, execute
- group = read, execute
- other = read only
= 4754 (numeric, octal)
= -rwsr-xr-- (symbolic as per "ls -l")
For an example of a similar such installation, see the cdrecord binary
in the cdrecord package.
The debconf question should be along the lines of the following
(shamelessly ripped from the cdrecord package):
"
You have the option of installing [PACKAGENAME] binaries with the SUID
bit set.
If you make [PACKAGENAME] SUID, you can allow users in the "audio" group
to run this software without needing any additional privileges. This
could, however, potentially allow [PACKAGENAME] to be used during a
security attack on your computer. If in doubt, I suggest you install it
without SUID. If you later change your mind, you can run:
dpkg-reconfigure [PACKAGENAME].
Do you want the [PACKAGENAME] binaries to be installed SUID root?
"
To be really sexy, such audio packages should ask if there are specific
users that should be added to the audio group upon installation. ??
Finally, installation of such applications should (should they really?)
check for the local machine's administrator's perms/ ownership overrides
(specified by dpkg-statoverride) similar to as follows:
# allow dpkg-statoverride by local admin to override our permissions
if ! dpkg-statoverride --list /usr/bin/jackstart > /dev/null ; then
db_get ....
if [ "$RET" = "true" ]; then
chmod 4754 .. chown
else
chmod 0755
fi
fi
---
Anyone, how does Andreas' comment "We _do_ have an audio-group and users
who need to have access to /dev/{mixer,snd,dsp,..} should be put in
there, instead of making the app SGID." apply here - ie. am I confused
about the use of SUID?
Another comment I received, this time about capabilities, was the
following (there is the JACK (jackd) audio daemon, and "jackstart"
program to run it): "With jackstart. you can run jackd and it's clients
as non-root user - only jackstart has to be setuid root, jackd need not.
This has the advantage that files recorded with a jack client like
ardour aren't owned by root, for example."
I could not find information on capabilities in the kernel-2.4.22 docs,
can someone tell me if this should be mentioned somehow as part of this
audio apps mini-policy?
TIA
zenaan
Reply to: