Re: Audio Apps Mini-Policy, v0.1
On Tue, 2003-10-28 at 12:47, Steve Kemp wrote:
> On Tue, Oct 28, 2003 at 09:43:07PM +1100, Zenaan Harkness wrote:
> > Audio applications or applets (ie. executable files) requiring realtime
> > privileges should be installed as follows:
> > - user = root
> > - group = audio
> > - permissions
> > - SUID root
> > - have a debconf question asking to allow/ deny this
> > - [debconf question "importance level"??]
> > - user = read, write, execute
> > - group = read, execute
> > - other = read only
> Why read only for other? Given that they can't execute what is
> presumably a compiled binary I'd treat them as untrusted and not allow
> them to read it at all.
Because no more security is involved (one can download the packet and
extract the compiled binary or one can even recompile the binary from
sources (it is free software)).
For the same security level, it seems better to allow someone to read
the file than to forbid it. One can copy the file on it's own computer
and set the appropriate permission (assuming he is root on its own
computer). I've already done this.