On Monday 19 February 2007 17:30:15 Anthony Green wrote: > On Thu, 2007-02-15 at 22:18 +0100, Davide Bolcioni wrote: > > Well, if I understand this correctly, could the above be obtained using > > consolehelper(8) and creating /etc/pam.d/qjackctl, which would have > > > > session required pam_limits.so conf=/etc/security/qjackctl.conf > > > > where qjackctl.conf would have > > > > * - memlock 131072 > > * . rtprio <don't know what to put here> > > > > or am I missing something ? No groups to create, and files which RPM can > > add in directories which are likely to just be there. > > Thanks for this suggestion. It forced me to learn a little about PAM. > > As I understand it, this would give RT privs to any user who runs > qjackctl. One thing that wasn't clear to me is what constitutes a > "session". If they run qjackctl, do the limit changes affect anything > the user does from that point on? Or is it limited to the qjackctl > process and whatever it runs. You could write instead @jackusers - memlock 131072 @jackusers - rtprio <something> but then you'd be back with adding the group jackusers (which is not hard, but requires care) and adding users to said group. I think this is not necessary provided we have: /usr/bin/qjackctl -> consolehelper /usr/sbin/qjackctl /etc/pam.d/qjackctl so that when a normal user invokes qjackctl, consolehelper kicks in and authenticates against PAM (this step could be skipped if qjackctl, by himself, explicitly used PAM for authentication). Then we would have something (warning: UNTESTED) along the lines of %PAM-1.0 auth sufficient pam_rootok.so auth required pam_console.so account required pam_permit.so session required pam_limits.so conf=/etc/security/qjackctl.conf in /etc/pam.d/qjackctl. > This is pretty neat, but I think one of our goals was to require admin > privs to grant RT privs to users because of the inherent dangers of > handing them out to everybody. Is this not really a worthwhile goal? The idea above is to grant RT privilege only to qjackctl and its child processes when run from console; after all, it's not the user which requires RT privileges, it's qjackctl. I believe that consolehelper(8) is only necessary as a wrapper for PAM-unaware binaries, but I have not verified this. Thank you for your consideration, Davide Bolcioni -- There is no place like /home. -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
