Re: ITP: realtime -- Realtime Linux Security Module (fwd)
On 25 Mar 2004, Jack O'Quin wrote:
> Daniel Kobras <kobras@debian.org> writes:
>
> > On Thu, Mar 25, 2004 at 06:07:02PM +0100, guenter geiger wrote:
> > > When the module has been installed succesully you should be able
> > > to run jack without jackstart and suid root, just as
> > > jack -R -d alsa
> > >
> > > At the same time, most of the other applications that require realtime
> > > scheduling and memory locking should work. (For users in the audio group).
> >
> > Sweet. So what's your plan on handling default permissions? Should we require
> > that all users of audio applications be in group audio, or should we
> > rather start shipping timing-sensitive apps SetGID audio? And with
> > Recommends: realtime, obviously.
>
> I recommend putting the user in group `audio', then running the LSM
> with `gid=29'. They're probably in that group anyway to access the
> sound device.
This is the default setup the module comes with (you can change it in the
/etc/defaults/realtime.conf file).
In general its a pity that gtk has this limitation, because the features
of the realtime module are useful for nonaudio users too (like cd burning
and probably lots of others that don't come to my mind yet).
Maybe we should create a specific realtime group, where we can add other
applications, and audio users have to part of this group too.
Guenter
>
> Setgid is theoretically better, but GTK has a misguided policy of
> refusing to run if the application is setuid or setgid, causing quite
> a few applications to fail. QT and non-GUI applications (like JACK)
> work fine with setgid, but the user still ends up needing to be a
> member of group `audio'. That works for everything I've tried. And,
> no one on linux-audio-dev has reported any problems with it. There
> seem to be quite a few using it these days.
> --
> joq
>
>
> --
> To UNSUBSCRIBE, email to debian-multimedia-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
Reply to: