Re: ITP: realtime -- Realtime Linux Security Module (fwd)
Daniel Kobras <kobras@debian.org> writes:
> On Thu, Mar 25, 2004 at 06:07:02PM +0100, guenter geiger wrote:
> > When the module has been installed succesully you should be able
> > to run jack without jackstart and suid root, just as
> > jack -R -d alsa
> >
> > At the same time, most of the other applications that require realtime
> > scheduling and memory locking should work. (For users in the audio group).
>
> Sweet. So what's your plan on handling default permissions? Should we require
> that all users of audio applications be in group audio, or should we
> rather start shipping timing-sensitive apps SetGID audio? And with
> Recommends: realtime, obviously.
I recommend putting the user in group `audio', then running the LSM
with `gid=29'. They're probably in that group anyway to access the
sound device.
Setgid is theoretically better, but GTK has a misguided policy of
refusing to run if the application is setuid or setgid, causing quite
a few applications to fail. QT and non-GUI applications (like JACK)
work fine with setgid, but the user still ends up needing to be a
member of group `audio'. That works for everything I've tried. And,
no one on linux-audio-dev has reported any problems with it. There
seem to be quite a few using it these days.
--
joq
Reply to: