Hasse Hagen Johansen <hhj(a)musikcheck.dk> writes:
>>>> "Arnold" == Arnold Krille <arnold(a)arnoldarts.de> writes:
Arnold> Apart from other "official" solutions I did set the suid
Arnold> flag on all the binaries I need and changed the group to
Arnold> audio (and let others not execute the bins)...
Arnold> That way I can have excellent latency times while still
Arnold> being my normal user.
I actually thought of that earlier. It is possibly one the easiest
solutions.
Maybe the easiest, but probably also the least secure.
From a security perspective it is better to login as
root than to use
setuid. Then at least, the person running untrusted code with
super-powers has to know the root password. His judgement may be in
question, but his authority is not. :-)
I just started the thread to hear about how people did
get realtime
CAp as a normal user.....I think it actually makes sence to make an
audio group...could also set the permissons on the audio devices etc.
The `audio' group is a good idea, and has standard support in both
Gentoo and Debian. I'm not sure about other distributions, but it is
easy to add this group yourself if it's not already defined.
Sadly, Linux development remains quite disorganized when it comes to
realtime privileges. I wish there were a simple answer to your
question.
My feeling is that the best available approach is granting realtime
privileges based on membership in this group. With 2.4 kernels that
requires a kernel patch. Several have been posted in the past, but
AFAIK none are actively maintained.
For 2.6 kernels, there is a dynamically-installable Linux Security
Module[1] originally written by Torben Hohn, later modified and
packaged by me. Although still experimental, I support it and intend
to make it an official project. It does not require any kernel
patches, but you do need kernel sources to build it. This LSM grants
realtime privileges based on several user-controlled options[2].
[1]
http://www.joq.us/realtime
[2]
http://www.joq.us/realtime/README
The option I recommend and use is `gid=29', which grants realtime
privileges to any process belonging to the Debian `audio' group.
Adding a user ID to this group grants access to both the audio device
and to the necessary realtime privileges.
--
joq