At Mon, 15 Sep 2003 13:05:26 +0200,
Uwe Koloska wrote:
Takashi Iwai wrote:
- what is the reason for starting the init without full
capabilities? (to use jackstart, I have to rebuild the kernel
with all capabilities set for init -- but this was straightforward)
it's a question of security.
in fact, the full capability is dangerous from this perspective.
some of last security holes on 2.4 kernel are related with this.
well, in theory, it's possible to enable all capabilities but drop it
in the early boot stage by setting via /proc/sys/cap-bound. but it
will be unlikely implemneted.
it must be pretty hard to convince security guys to accept CAP_SETPCAP
capability as default.
Is there another (secure) way of using jackd in realtime without
making it suid root?
note that you still need some suid-root (e.g. jackstart) even with
capability.
as Paul suggested, sudo is an alternative solution.
it might be more insecure than capability, depending on the
configuration of sudo, though.
(and it can be more secure with a certain configuration.)
What advice can I give to an unexperienced linux user?
again, this is a question of security, too.
that is, whether un "unexperieced linux user" takes care of security.
if the security doesn't matter, you can set simply suid-root on
jackd and jack-related softwares.
(of course, it would be better on a machine without LAN for such a
solution.)
well, i'm not a security paranoi... expert, so it's just my $0.02.
Takashi