Fernando, Thanks for the info. It's interesting. In the text below, please remember I have no position on this. I'm just asking some questions, not interrogating! Mark > > I think the only risk (that I know off) would be an application that > hangs the machine because there is an infinite loop or lockup in the > audio thread (which is the one that runs with SCHED_FIFO - realtime > schedulling). The capabilities granted by jackstart to jackd (thus to > the jack clients) do not allow the process access to arbitrary files. Is this true for all applications running on a capabilities enabled kernel, or just those that are granted capabilities by jackstart? Is the concern clear? Could a particularly nasty person create a program replace some file used by jackstart of a Jackified application, that could open up the permissions you've granted? On this kernel could that nasty person create a program that exploits these capabilities in ways beyond what you are granting? I think this is the general concern, as I have understood it. > > Obviously that can happen if you are just running applications as root > and not using capabilities at all (all bets are off if you run as root). Certainly Maybe it's of no concern. I don't know. I think one of the advertised advantages of Linux is its security. However, one of the weaknesses is that people download source, of which they have no real knowledge, build and install as root, and then try out. PlanetCCRMA really reduces this weakness as we get precompiled binaries with folks like you to help protect us. However, if some nasty person out there wants to exploit this potential weakness then they could cause problems for people getting source from the net, and I think the 'capabilities enabled kernel' *may* make these weaknesses greater?? - Mark