Creating a jackuser group

Davide Bolcioni dblistsub-fedora at yahoo.it
Mon Feb 19 18:01:03 UTC 2007 

On Monday 19 February 2007 17:30:15 Anthony Green wrote:
> On Thu, 2007-02-15 at 22:18 +0100, Davide Bolcioni wrote:
> > Well, if I understand this correctly, could the above be obtained using
> > consolehelper(8) and creating /etc/pam.d/qjackctl, which would have
> >
> >   session required pam_limits.so conf=/etc/security/qjackctl.conf
> >
> > where qjackctl.conf would have
> >
> >   * - memlock 131072
> >   * . rtprio <don't know what to put here>
> >
> > or am I missing something ? No groups to create, and files which RPM can
> > add in directories which are likely to just be there.
>
> Thanks for this suggestion.  It forced me to learn a little about PAM.
>
> As I understand it, this would give RT privs to any user who runs
> qjackctl.  One thing that wasn't clear to me is what constitutes a
> "session".  If they run qjackctl, do the limit changes affect anything
> the user does from that point on?  Or is it limited to the qjackctl
> process and whatever it runs.

You could write instead

  @jackusers - memlock 131072
  @jackusers - rtprio <something>

but then you'd be back with adding the group jackusers (which is not hard, but 
requires care) and adding users to said group. I think this is not necessary 
provided we have:

  /usr/bin/qjackctl -> consolehelper
  /usr/sbin/qjackctl
  /etc/pam.d/qjackctl

so that when a normal user invokes qjackctl, consolehelper kicks in and 
authenticates against PAM (this step could be skipped if qjackctl, by 
himself, explicitly used PAM for authentication). Then we would have 
something (warning: UNTESTED) along the lines of

%PAM-1.0
auth       sufficient   pam_rootok.so
auth       required     pam_console.so
account    required     pam_permit.so
session required pam_limits.so conf=/etc/security/qjackctl.conf

in /etc/pam.d/qjackctl.

> This is pretty neat, but I think one of our goals was to require admin
> privs to grant RT privs to users because of the inherent dangers of
> handing them out to everybody.  Is this not really a worthwhile goal?

The idea above is to grant RT privilege only to qjackctl and its child 
processes when run from console; after all, it's not the user which requires 
RT privileges, it's qjackctl.

I believe that consolehelper(8) is only necessary as a wrapper for PAM-unaware 
binaries, but I have not verified this.

Thank you for your consideration,
Davide Bolcioni
-- 
There is no place like /home.

More information about the fedora-devel-list mailing list