[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: fw: jackd/ audio apps mini policy

On Sun, 2003-11-02 at 05:40, Jack O'Quin wrote:
> Zenaan Harkness <zen@iptaustralia.net> writes:
> > I thought jackstart was essentially equivalent to a generic wrapper
> > - both require RTcap-patched kernel. Which would mean the only
> > difference between 2 and 3 here is the use of jackstart vs. generic
> > wrapper, where jackstart is more intelligent about jack command
> > line args. ??
> Actually, jackstart knows nothing about jackd command args.  It is a
> minimal trusted program written by Fernando Lopez-Lezcano (of Planet
> CCRMA fame) for invoking jackd with realtime capabilities as carefully
> as possible.  From the comments...

For those interested, this might be a good place to turn for that
"universal generic [suid|sudo|capabilities] wrapper". From what
I've read so far, it looks like a suid wrapper (actually daemon)
only at the moment, and would require enhancement/ patches to
support capabilities/ SETPCAP support.

For discussion of this wrt multimedia, see debian-multimedia@l.d.o
(very low-volume list, at least so far).


-----Forwarded Message-----
> From: Ian Jackson <userv-maint@chiark.greenend.org.uk>
> To: info-gnu@gnu.org, userv-announce@chiark.greenend.org.uk
> Subject: userv (security boundary tool) 1.0.3 released
> Date: Sat, 01 Nov 2003 01:40:10 +0000

GNU userv 1.0.3 is now released.

userv (pronounced `you-serve') is, in the words of the specification,
      a Unix system facility to allow one program to invoke another
      when only limited trust exists between them.

userv is a one-of-a-kind systems programming and system administration
tool, which can be used to avoid setuid programs, special daemons, or
the need for doubtful `helper' programs.

For more information, including the on-line specification and the
distribution files, visit

If you have queries, please join the userv-discuss mailing list in
preference to mailing the author.  Thank you.

userv is also usually available via the GNU FTP site and its mirrors.
However, at present technical difficulties mean that we are unable to
make the current distribution files available on ftp.gnu.org.  In the
meantime, please fetch the files from chiark, above.

This is a maintenance release.  It fixes a number of bugs, a few of
them moderately annoying, but none believed to be security-critical.
The documentation, portability and packaging are also improved.

Note that the Debian Project has distributed, amongst other things, a
file appearing to be userv 1.0.2.  There is no userv 1.0.2.  To avoid
confusion, we have skipped version 1.0.2.  Please use 1.0.3.

MD5 checksums:
b525d59097246fbe3668545fe302dbdb  userv-1.0.1-1.0.3.diff.gz
e577c93fa37b8334e8f882f28f4f8835  userv-1.0.3.tar.gz

There is also an associated non-GNU package userv-utils, which
contains a collection of miscellaneous userv services, which can serve
as examples and programs in their own right.  Note that the
documentation and probably quality of these leave a lot to be desired.
Contributions of documentation, installation instructions,
improvements, etc, for parts of userv-utils would be very welcome.
userv-utils can be found alongside userv's distribution files.

Changes to userv since 1.0.1:

  * Make require-fd work with reading fds !
    (Thanks to Ben Harris for the bug report).
  * Close unwanted pipes in client-side cat subprocesses, to avoid
    wedging at termination.  (Thanks to patchlet from Peter Benie.)
  * gid_t may be >int, so cast to long when putting in USERV_GIDS
    (Might conceivably make USERV_GIDS be wrong on some platforms.)
  * Do not pass char to ctype macros; they can't cope with -ve !
  * Fix fd modifier, signal, and exit status parsing to be rigourous in
    their use of strtoul.  (Thanks to report from Peter Benie.)

  Portability fixes:
  * #include <fcntl.h>, not <sys/fcntl.h> (fixes some implicit decls).
  * Look for gmd5sum.  (Thanks to Anton Altaparmakov for the report.)
  * install-sh updated to that from autoconf 2.53.
  * Use fcntl F_{GET,SET}FD with respect for as-yet-uninvented fd flags.
    (small patch from Ben Harris.)

  Documentation and help improvements:
  * userv(1) manpage: fixed broken definitions of fd excl and trunc.
    (Debian bug report: Closes: #79579.)
  * Specification's usage notes section improved.
  * --help and --version behaviour made to conform to GNU standards.
  * We do ship m4 and flex output now, so say so.
  * Some groff warnings in userv(1), and source version fixed.
  * New userv(8) manpage.  (Debian: Closes: #33777.)
  * Update copyright dates everywhere.

  Debian packaging improvements:
  * Priority changed to optional as per override file.
  * Build-Depends: debiandoc-sgml, tetex-bin, tetex-extra.  Closes
  * init.d reload is noop, restart now called restart.  Closes #70783.
  * /etc/init.d/userv nicer output: colons, `.' printed after done.
  * Maintainer scripts use invoke-rc.d if it's available.
  * Maintainer scripts discard stdout from update-rc.d.
  * No more messing with /usr/doc, use only /usr/share/doc.  Closes
  * Support unstripped binaries in the .deb, with DEB_BUILD_OPTIONS.
  * Fixed typo in debian/copyright.
  * /etc/init.d/userv restart doesn't mind if not already running.
  * debian/rules clean removes whole spec.html subdirectory.
  * Ship spec.ps (Closes: #210859)
  * Lintian override for suid /usr/bin/userv (Closes: #211055)
  * Standards-Version 3.6.1.
  * Corrected location of common licenses.
  * Added -isp to dpkg-gencontrol.
  (Thanks to Martin Pitt and Bas Zoetekouw's NMUs
   for many inspirations and one-liners.)

Version: 2.6.3ia
Charset: noconv


GNU Announcement mailing list <info-gnu@gnu.org>

Reply to: