Re: permissions on /dev/dsp /dev/audio
Chip Grandits <chipg@frii.com> writes:
| Mark Elissen wrote:
|
| > -----BEGIN PGP SIGNED MESSAGE-----
| >
| > I've just installed Debian 2.0 after using Slackware for some year of 3.
| > I'm very pleased with the "debian" way, but I have 1 minor problem:
| > Whenever I am using a program that outputs to /dev/audio or /dev/dsp as a
| > non-root user than the soundprogramm stops with the errormessage
| > "permission denied". How can I grant rights to this devices for non-root
| > users?
| >
| > Mark.
| >
|
| I just went through this with Java.
| It took me two weeks to figure it out hopefully you've already
| figured it out.
| When I type
| ls-l /dev/audio
|
| > crw-rw-rw- 1 root audio 14, 4 May 27 1997 /dev/audio
| >
| The owner is root, the group is audio
| If this is not true as root type
| chgrp /dev/audio audio
| (but I don't think any debian installation would ever get that wrong)
|
| I've taken the quick and dirty way out with a security hole, because
| anyone can read
| or
| write to my audio device, my computer could literally be 'bugged'
| (as in audio
| listening device)
| but I'm sure any such saboteur has long since died of boredom.
| However anything can
| no use
| the sound devices.
|
| The proper way is to use the setuid or setgid bits of the various
| audioplayers
| lets say you have an audio player utility /usr/bin/audioplay
| you would want to have it 'join' the audio group
| become the root and type
| chgrp /usr/bin/audioplay audio
| but you then need to set the group id bit, and audioplay will always
| run as a member
| of group audio
| even if the user invoking audioplay is not. Again as root
| chmod g+s /usr/bin/audioplay
| and now audioplay has access to the audio devices regardless of
| who's logged on.
| I don't think this works on scripts (setuid doens't) so if audioplay
| was a script
| this doens't work
| (find out the 'real' binary the script is invoking and use setgid on that)
|
| Alternately YOU could join the audio group, that way you could use
| audio devices but
| other mortal users
| could not (unless the root similarly grants them the ability) I
| don't know of a
| command line utility to add
| users to groups, simply modify /etc/group (again as root); under
| default debian 1.3.1
| there is a line
| audio:x:29:
| simply add your user name to make
| audio:x:yourname
^^^^^^^^^^^^^^^^^^
Not quite, you deleted the group number in the line above. Do that and
you'll be hurtin'. The line should look like:
audio:x:29:yourname
The Debian Way (TM) is indeed to add yourself, and anyone else who you
want to have access to the audio devices, to the audio group. The
easiest way to do this is with the adduser command. For example, to
add joebloe to the audio group simply, as root, do:
adduser joebloe audio
I think this was true under 1.3 as well, but you'd have to check. This
is much better than going around setting the GID bit on dozens of
programs that access the device, and almost as simple as changing the
permission on the device to 666, without losing the security.
The other problem with changing permissions on devices is knowing what
a device does. There are a number of audio devices that are relevant
and it's much easier to add yourself to the audio group and let the
Debian maintainers worry about which devices are relevant to the audio
group. AND what happens when you upgrade? It's possible the
permissions will be reverted back when you upgrade and you'll end up
having to change the permissions all over again.
In short, stick with the method of adding yourself to the group which
has access to a particular device. It's safe, in terms of security and
future upgrades, and easy, plus, it is the Debian Way (TM).
Gary
Reply to: