18 Nov
2003
18 Nov
'03
midnight
martin rumori <ptiger(a)gmx.de> writes:
i think it would be safer to use 0, which means root (and is kinda
senseless) as default. granting realtime privileges to everybody is
exactly what we don't want... and it's likely to do that by accident
when having this as a default.
or did i miss the meaning of "nogroup"? i ever thought that this is
the group for users which are granted really NOTHING...
Nando's original suggestion was to use 0 for allowing access to
everybody. I felt that group `root' (gid 0) was a useful value, so I
suggested some different code point possibilities for "everybody". I
actually prefer -1, since that is not a valid group number.
But, I also mentioned `nogroup' (65534) as a possibility (`nobody' on
some systems). Some daemons actually run with this group to avoid
gaining access to real groups. So, I don't think it a very good idea.
I agree that 0 should be the default. It exists on every system and
is rather restrictive, so people won't accidentally grant more access
than they intended.
To summarize, my proposal is:
sysctl -w kernel/realtime=0 # disable realtime privileges
sysctl -w kernel/realtime=1 # enable realtime privileges
# for `root' group
sysctl -w kernel/realtime=1 # enable realtime privileges
sysctl -w kernel/realtimegroup=-1 # for every process
sysctl -w kernel/realtime=1 # enable realtime privileges
sysctl -w kernel/realtimegroup=29 # for `audio' group
Only root can write these variables. If possible, let's agree on a
standard gid to use for group `realtime', there isn't one now.
--
joq
Also, 0 is a valid group ID, `root', which might
be a reasonable
choice if groups like `audio' and `realtime' are undefined. How about
using -1, instead? Or, maybe `nogroup' (65534 on my system).
Yes, probably "nogroup" is the best option. I think it is "nobody" in
my
system - so we cannot rely on the same name either... yuck...