On Monday 19 February 2007 22:47:25 Anthony Green wrote: > On Mon, 2007-02-19 at 19:01 +0100, Davide Bolcioni wrote: > > I think this is not necessary > > provided we have: > > > > /usr/bin/qjackctl -> consolehelper > > /usr/sbin/qjackctl > > /etc/pam.d/qjackctl > > > > so that when a normal user invokes qjackctl, consolehelper kicks in and > > authenticates against PAM (this step could be skipped if qjackctl, by > > himself, explicitly used PAM for authentication). Then we would have > > something (warning: UNTESTED) along the lines of > > > > %PAM-1.0 > > auth sufficient pam_rootok.so > > auth required pam_console.so > > account required pam_permit.so > > session required pam_limits.so conf=/etc/security/qjackctl.conf > > > > in /etc/pam.d/qjackctl. > > I tried this (but with jackd instead of qjackctl). It works as > advertised after I created an empty > file /etc/security/console.apps/jackd. > > Pardon my ignorance, but one thing I noticed is that it actually runs > jackd as root, which means that the user can't terminate it with Ctrl-C. > Is this expected and is there a solution? I believe consolehelper(8) is intended to do exactly that, see userhelper(8) which is the workhorse invoked by consolehelper(8). It might be that setting USER="<user>" in /etc/security/console.apps/jackd as documented in userhelper(8) would launch it as the console user; I do not know if this would cause the attempt to set memlock and rtprio to fail because of insufficient privileges, however. If jackd, as the name seems to suggest, is a daemon (listens for commands), this approach might be insecure, or at least way outside the original design framework of consolehelper(8), and should probably be reviewed by someone more knowledgeable in such matters. Davide Bolcioni -- There is no place like /home. -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
