Hasse Hagen Johansen <hhj@xxxxxxxxxxxxx> writes: > >>>>> "Arnold" == Arnold Krille <arnold@xxxxxxxxxxxxx> writes: > > Arnold> Apart from other "official" solutions I did set the suid > Arnold> flag on all the binaries I need and changed the group to > Arnold> audio (and let others not execute the bins)... > > Arnold> That way I can have excellent latency times while still > Arnold> being my normal user. > > I actually thought of that earlier. It is possibly one the easiest > solutions. Maybe the easiest, but probably also the least secure. >From a security perspective it is better to login as root than to use setuid. Then at least, the person running untrusted code with super-powers has to know the root password. His judgement may be in question, but his authority is not. :-) > I just started the thread to hear about how people did get realtime > CAp as a normal user.....I think it actually makes sence to make an > audio group...could also set the permissons on the audio devices etc. The `audio' group is a good idea, and has standard support in both Gentoo and Debian. I'm not sure about other distributions, but it is easy to add this group yourself if it's not already defined. Sadly, Linux development remains quite disorganized when it comes to realtime privileges. I wish there were a simple answer to your question. My feeling is that the best available approach is granting realtime privileges based on membership in this group. With 2.4 kernels that requires a kernel patch. Several have been posted in the past, but AFAIK none are actively maintained. For 2.6 kernels, there is a dynamically-installable Linux Security Module[1] originally written by Torben Hohn, later modified and packaged by me. Although still experimental, I support it and intend to make it an official project. It does not require any kernel patches, but you do need kernel sources to build it. This LSM grants realtime privileges based on several user-controlled options[2]. [1] http://www.joq.us/realtime [2] http://www.joq.us/realtime/README The option I recommend and use is `gid=29', which grants realtime privileges to any process belonging to the Debian `audio' group. Adding a user ID to this group grants access to both the audio device and to the necessary realtime privileges. -- joq
