> > jackstart - requires the kernel be patched for 'capabilities', whatever that > > is. > > I don't seem to have that command. It is included in the jack tarball (but I would use current CVS). > I do have jackd though. If I try to run jackd -R I get permission > errors. I assume that is the problem? Yep. > Is it not possible to run jackd as root, but run your application as a > user? As Mark pointed out in a separate email, it is not possible. The "capabilities" patch is a 2 line kernel patch that starts init with a full set of capabilities (including CAP_SETPCAP, the ability to set capabilities on other processes). Capabilities are permissions to use certain calls or features of the kernel normally restricted to root only. For example, one of those "capabilities" is the ability of a process to change its own scheduler to SCHED_FIFO(*), or change other processes scheduler to SCHED_FIFO, something we need for reliable low latency sound i/o. An application of this is the jackstart program. Jackstart(**) is a small program that has to run suid root that grants jackd the capabilities that it needs to both go SCHED_FIFO itself and grant its clients the capabilities to go SCHED_FIFO (and a couple of other needed capabilities as well). Why is this patch not widely included in production kernels? There's a catch :-) The catch is that it becomes possible for a user level program to access the SCHED_FIFO scheduler ring (_necessary_ for reliable low latency sound). Which means a user program can lock the machine (by entering into an infinite loop while executing with SCHED_FIFO) and create a DOS vulnerability. Obviously the alternatives are even worse (unreliable low latency operation, or running everything as root) -- Fernando See also: http://ftp.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.4/capfaq-0.2.txt (*) see man sched_setscheduler for what this all means (**) I wrote jackstart, it is based on code and concepts found in sucap.c, written by Finn Arne Gangstad <finnag@xxxxxxxxxxx> and givertcap.c, written by Tommi Ilmonen, Tommi.Ilmonen@xxxxxxx Givertcap is also included in the standard distribution of muse.