[linux-audio-dev] Re: linux-audio-dev Digest, Vol 2, Issue 24

[Kjetil Svalastog Matheussen]

"Jack O'Quin":
>
> I've been thinking about ways to use this feature to improve and
> simplify the current security situation for Linux audio.  No
> conclusions, but here are some thoughts for discussion:
>
>   (1) There should a simple way for the sysadmin to reliably disallow
>   realtime privileges.  One way to allow (or prevent) access to
>   realtime privileges for any program is via a sysctl global variable.
>   Of course, loading the kernel extension is a privileged operation,
>   anyway.  But, I prefer some positive means of blocking it.
>
>   (2) Using sysctl, set a group id (like `audio') for which realtime
>   privileges are automatically granted.  Then, we could just install
>   realtime apps with `setgid audio'.  This seems much better than
>   opening things up to *any* application.  And, audio applications
>   would not need root privileges any more.  This would be a rather big
>   improvement over the current jackstart/jackd situation.
>
>   (3) We could also define a default realtime group (gid 0 maybe),
>   since `audio' probably does not exist on many distributions.  IIUC,
>   this is originally a Debian idea.  I don't know how widely it has
>   been adopted.  I like it and think it should become a universal
>   Linux convention, allowing access to the sound card as well as
>   realtime privileges.
>


What about this one:

(4) Let the user that is currently physical logged in to the machine
get realtime privileges.


--