segher at wanadoo.nl
Sun Dec 31 14:16:16 PST 2000
> > DON'T MAKE OGG123 SUID!
> > Instead greate an "audio" group with write permissions on
> > /dev/dsp and add all users who should be able to play audio to
> > this group (and don't forget to logout/login after that).
> This addresses the issue of the audio devices, but is there a similar
> non-root strategy for access to the realtime scheduler (Linux)?
You can use capabilities, and have the capabilities stored on the
filesystem (just like the setuid bit is). That last one is still
experimental, I think; but then, don't make ogg123 setuid, but
make a wrapper for it, make it setuid, have it drop all capabilities
it doesn't need, and spawn ogg123 proper.
If you want to find good techniques do do things like this securely,
please look at programs like proftpd.
--- >8 ----
List archives: http://www.xiph.org/archives/
Ogg project homepage: http://www.xiph.org/ogg/
To unsubscribe from this list, send a message to 'vorbis-dev-request at xiph.org'
containing only the word 'unsubscribe' in the body. No subject is needed.
Unsubscribe messages sent to the list will be ignored/filtered.
More information about the Vorbis-dev