From: Gregory Nowak <greg@romuald.net.eu.org>
To: speakup@braille.uwo.ca
Subject: Re: audio permissions quandary, part 2
Date: Wed, 10 Oct 2007 11:40:50 -0700 [thread overview]
Message-ID: <20071010184050.GB11311@localhost.localdomain> (raw)
In-Reply-To: <20071010072709.GD17377@opera.rednote.net>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The second suggestion seemed very attractive, until I got lost on how
to do that after some effort, given that udev is involved, and that
dmix is being used, and documentation for alsa seems to be
nonexistent. On top of that, I found that if I change
defaults.pcm.ipc_gid audio
to say
defaults.pcm.ipc_gid greg
, or any other group for that matter in /usr/share/alsa/alsa.conf, the
devices are still in the audio group, even after a reboot.
I was considering looking at the maildrop source this morning, and
seeing if I could implement suggestion #1, and submit a patch to the
author, but since at this point I'm looking for the easiest suggestion
to implement with the least security compromise, if any, I'll try your
suggestion before resorting to playing with the maildrop source. It
isn't perfect as you said, but the worst that can happen is that
somebody exploits a future security whole in aplay, and gets access as
greg on the system. That's still not good, but it's better than
exploiting aplay, and getting root access as the prize.
After doing some web searching, I must say I'm surprised that nobody
has pointed out this limitation before. After all, wanting to play
certain sounds depending on who mail comes from isn't that unheard
of. Thanks again.
Greg
On Wed, Oct 10, 2007 at 03:27:09AM -0400, Frank Carmickle wrote:
> Hi Greg
>
> After beeting on this for three hours I have a solution but I don't
like it to much. It's better then suid though. Use sudo
+with a line like this in your sudoers file
>
> greg ALL= (greg) NOPASSWD:/usr/bin/aplay
>
> then drop in your .mailfilter file
> `sudo -u greg aplay somefile`
>
> Like I said I don't like it that much but it does work and it
doesn't allow anyone else to use aplay who isn't you. It also
+runs aplay as you.
>
> HTH
> --Frank
>
- --
web site: http://www.romuald.net.eu.org
gpg public key: http://www.romuald.net.eu.org/pubkey.asc
skype: gregn1
(authorization required, add me to your contacts list first)
- --
Free domains: http://www.eu.org/ or mail dns-manager@EU.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHDRyy7s9z/XlyUyARAv4IAJ98AGdpByrns5hZuHF42mzPbdgQzwCgkzlV
+pKXvqp+e27NpdBww+XeCQM=
=98sY
-----END PGP SIGNATURE-----
prev parent reply other threads:[~ UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
audio permissions quandary Gregory Nowak
` Frank Carmickle
` audio permissions quandary, part 1 Gregory Nowak
` Gregory Nowak [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20071010184050.GB11311@localhost.localdomain \
--to=greg@romuald.net.eu.org \
--cc=speakup@braille.uwo.ca \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).