audio permissions quandary, part 2

Gregory Nowak greg at romuald.net.eu.org
Wed Oct 10 14:40:50 EDT 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The second suggestion seemed very attractive, until I got lost on how
to do that after some effort, given that udev is involved, and that
dmix is being used, and documentation for alsa seems to be
nonexistent. On top of that, I found that if I change

defaults.pcm.ipc_gid audio

to say

defaults.pcm.ipc_gid greg

, or any other group for that matter in /usr/share/alsa/alsa.conf, the
devices are still in the audio group, even after a reboot.

I was considering looking at the maildrop source this morning, and
seeing if I could implement suggestion #1, and submit a patch to the
author, but since at this point I'm looking for the easiest suggestion
to implement with the least security compromise, if any, I'll try your
suggestion before resorting to playing with the maildrop source. It
isn't perfect as you said, but the worst that can happen is that
somebody exploits a future security whole in aplay, and gets access as
greg on the system. That's still not good, but it's better than
exploiting aplay, and getting root access as the prize.

After doing some web searching, I must say I'm surprised that nobody
has pointed out this limitation before. After all, wanting to play
certain sounds depending on who mail comes from isn't that unheard
of. Thanks again.

Greg


On Wed, Oct 10, 2007 at 03:27:09AM -0400, Frank Carmickle wrote:
> Hi Greg
>
> After beeting on this for three hours I have a solution but I don't
like it to much.  It's better then suid though.  Use sudo
+with a line like this in your sudoers file
>
> greg ALL= (greg) NOPASSWD:/usr/bin/aplay
>
> then drop in your .mailfilter file
> `sudo -u greg aplay somefile`
>
> Like I said I don't like it that much but it does work and it
doesn't allow anyone else to use aplay who isn't you.  It also
+runs aplay as you.
>
> HTH
> --Frank
>


- -- 
web site: http://www.romuald.net.eu.org
gpg public key: http://www.romuald.net.eu.org/pubkey.asc
skype: gregn1
(authorization required, add me to your contacts list first)

- --
Free domains: http://www.eu.org/ or mail dns-manager at EU.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHDRyy7s9z/XlyUyARAv4IAJ98AGdpByrns5hZuHF42mzPbdgQzwCgkzlV
+pKXvqp+e27NpdBww+XeCQM=
=98sY
-----END PGP SIGNATURE-----

More information about the Speakup mailing list