Re: fw: jackd/ audio apps mini policy
On Sun, 2003-11-02 at 05:40, Jack O'Quin wrote:
> Zenaan Harkness <zen@iptaustralia.net> writes:
> > I thought jackstart was essentially equivalent to a generic wrapper
> > - both require RTcap-patched kernel. Which would mean the only
> > difference between 2 and 3 here is the use of jackstart vs. generic
> > wrapper, where jackstart is more intelligent about jack command
> > line args. ??
>
> Actually, jackstart knows nothing about jackd command args. It is a
> minimal trusted program written by Fernando Lopez-Lezcano (of Planet
> CCRMA fame) for invoking jackd with realtime capabilities as carefully
> as possible. From the comments...
...
For those interested, this might be a good place to turn for that
"universal generic [suid|sudo|capabilities] wrapper". From what
I've read so far, it looks like a suid wrapper (actually daemon)
only at the moment, and would require enhancement/ patches to
support capabilities/ SETPCAP support.
For discussion of this wrt multimedia, see debian-multimedia@l.d.o
(very low-volume list, at least so far).
cheers
zen
-----Forwarded Message-----
> From: Ian Jackson <userv-maint@chiark.greenend.org.uk>
> To: info-gnu@gnu.org, userv-announce@chiark.greenend.org.uk
> Subject: userv (security boundary tool) 1.0.3 released
> Date: Sat, 01 Nov 2003 01:40:10 +0000
-----BEGIN PGP SIGNED MESSAGE-----
GNU userv 1.0.3 is now released.
userv (pronounced `you-serve') is, in the words of the specification,
a Unix system facility to allow one program to invoke another
when only limited trust exists between them.
userv is a one-of-a-kind systems programming and system administration
tool, which can be used to avoid setuid programs, special daemons, or
the need for doubtful `helper' programs.
For more information, including the on-line specification and the
distribution files, visit
http://www.chiark.greenend.org.uk/~ian/userv/
If you have queries, please join the userv-discuss mailing list in
preference to mailing the author. Thank you.
userv is also usually available via the GNU FTP site and its mirrors.
However, at present technical difficulties mean that we are unable to
make the current distribution files available on ftp.gnu.org. In the
meantime, please fetch the files from chiark, above.
This is a maintenance release. It fixes a number of bugs, a few of
them moderately annoying, but none believed to be security-critical.
The documentation, portability and packaging are also improved.
Note that the Debian Project has distributed, amongst other things, a
file appearing to be userv 1.0.2. There is no userv 1.0.2. To avoid
confusion, we have skipped version 1.0.2. Please use 1.0.3.
MD5 checksums:
b525d59097246fbe3668545fe302dbdb userv-1.0.1-1.0.3.diff.gz
e577c93fa37b8334e8f882f28f4f8835 userv-1.0.3.tar.gz
There is also an associated non-GNU package userv-utils, which
contains a collection of miscellaneous userv services, which can serve
as examples and programs in their own right. Note that the
documentation and probably quality of these leave a lot to be desired.
Contributions of documentation, installation instructions,
improvements, etc, for parts of userv-utils would be very welcome.
userv-utils can be found alongside userv's distribution files.
Changes to userv since 1.0.1:
Bugfixes:
* Make require-fd work with reading fds !
(Thanks to Ben Harris for the bug report).
* Close unwanted pipes in client-side cat subprocesses, to avoid
wedging at termination. (Thanks to patchlet from Peter Benie.)
* gid_t may be >int, so cast to long when putting in USERV_GIDS
(Might conceivably make USERV_GIDS be wrong on some platforms.)
* Do not pass char to ctype macros; they can't cope with -ve !
* Fix fd modifier, signal, and exit status parsing to be rigourous in
their use of strtoul. (Thanks to report from Peter Benie.)
Portability fixes:
* #include <fcntl.h>, not <sys/fcntl.h> (fixes some implicit decls).
* Look for gmd5sum. (Thanks to Anton Altaparmakov for the report.)
* install-sh updated to that from autoconf 2.53.
* Use fcntl F_{GET,SET}FD with respect for as-yet-uninvented fd flags.
(small patch from Ben Harris.)
Documentation and help improvements:
* userv(1) manpage: fixed broken definitions of fd excl and trunc.
(Debian bug report: Closes: #79579.)
* Specification's usage notes section improved.
* --help and --version behaviour made to conform to GNU standards.
* We do ship m4 and flex output now, so say so.
* Some groff warnings in userv(1), and source version fixed.
* New userv(8) manpage. (Debian: Closes: #33777.)
* Update copyright dates everywhere.
Debian packaging improvements:
* Priority changed to optional as per override file.
* Build-Depends: debiandoc-sgml, tetex-bin, tetex-extra. Closes
#190615.
* init.d reload is noop, restart now called restart. Closes #70783.
* /etc/init.d/userv nicer output: colons, `.' printed after done.
* Maintainer scripts use invoke-rc.d if it's available.
* Maintainer scripts discard stdout from update-rc.d.
* No more messing with /usr/doc, use only /usr/share/doc. Closes
#91578.
* Support unstripped binaries in the .deb, with DEB_BUILD_OPTIONS.
* Fixed typo in debian/copyright.
* /etc/init.d/userv restart doesn't mind if not already running.
* debian/rules clean removes whole spec.html subdirectory.
* Ship spec.ps (Closes: #210859)
* Lintian override for suid /usr/bin/userv (Closes: #211055)
* Standards-Version 3.6.1.
* Corrected location of common licenses.
* Added -isp to dpkg-gencontrol.
(Thanks to Martin Pitt and Bas Zoetekouw's NMUs
for many inspirations and one-liners.)
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
iQCVAwUBP6MO9MMWjroj9a3bAQFtzQP/c49a2hrDIOn11x61EeQvS2k/2B+gAyqe
ky015YohAPIvLCwzsQpzkj2Q5vYNCSxdk/eEmDOefSu/QrprofCZ1Htc4I3PfDOy
Cc9QwTajghJKQXPSlNSN5lRz4doCnD4sisGAJ+czXS+DlGUJj9TbKuFGDd+hQ5BZ
/JdUf+4CamM=
=NS6O
-----END PGP SIGNATURE-----
_______________________________________________
GNU Announcement mailing list <info-gnu@gnu.org>
http://mail.gnu.org/mailman/listinfo/info-gnu
Reply to: