Creating a jackuser group
Davide Bolcioni
dblistsub-fedora at yahoo.it
Mon Feb 19 23:22:18 UTC 2007
On Monday 19 February 2007 22:47:25 Anthony Green wrote:
> On Mon, 2007-02-19 at 19:01 +0100, Davide Bolcioni wrote:
> > I think this is not necessary
> > provided we have:
> >
> > /usr/bin/qjackctl -> consolehelper
> > /usr/sbin/qjackctl
> > /etc/pam.d/qjackctl
> >
> > so that when a normal user invokes qjackctl, consolehelper kicks in and
> > authenticates against PAM (this step could be skipped if qjackctl, by
> > himself, explicitly used PAM for authentication). Then we would have
> > something (warning: UNTESTED) along the lines of
> >
> > %PAM-1.0
> > auth sufficient pam_rootok.so
> > auth required pam_console.so
> > account required pam_permit.so
> > session required pam_limits.so conf=/etc/security/qjackctl.conf
> >
> > in /etc/pam.d/qjackctl.
>
> I tried this (but with jackd instead of qjackctl). It works as
> advertised after I created an empty
> file /etc/security/console.apps/jackd.
>
> Pardon my ignorance, but one thing I noticed is that it actually runs
> jackd as root, which means that the user can't terminate it with Ctrl-C.
> Is this expected and is there a solution?
I believe consolehelper(8) is intended to do exactly that, see userhelper(8)
which is the workhorse invoked by consolehelper(8).
It might be that setting
USER="<user>"
in /etc/security/console.apps/jackd as documented in userhelper(8) would
launch it as the console user; I do not know if this would cause the attempt
to set memlock and rtprio to fail because of insufficient privileges,
however.
If jackd, as the name seems to suggest, is a daemon (listens for commands),
this approach might be insecure, or at least way outside the original design
framework of consolehelper(8), and should probably be reviewed by someone
more knowledgeable in such matters.
Davide Bolcioni
--
There is no place like /home.
More information about the fedora-devel-list
mailing list