On 2020/04/26 20:16, Jeremie Courreges-Anglas wrote:
> That is something we discussed with chrisz@. One concern I had was that
> changing the home directory in the PLIST won't affect upgrades and more
> generally machines where the _mpd is present in master.passwd.
> And forcefully changing the home dir with usermod -d isn't nice to
> people who have already dealt with this problem.
>
> This is something we could document in a README, along with the special
> setup needed to share sndiod access. Diff below.
> So building up on the discussion with Christopher, here's a diff that
> changes _mpd's home dir to /var/spool/mpd and documents a bit what
> people need to do. Feedback and improvements welcome.
>
> No idea if I should leave @sample /var/spool/mpd in the PLIST, portcheck
> also warns about VARBASE...
>
> (Unrelated, drop the tremor FLAVOR from DESCR while here.)
OK for DESCR for sure :)
> +sndiod(8) concurrent access by mpd(1) and other users
> +=====================================================
> +
> +sndiod(8) only allows access from a single user/hostname at a time,
> +unless a cookie is provided. See AUTHENTICATION in sndio(7) for
> +more details. If you want to share sndiod(8) access with mpd(1) running
> +as the default _mpd user, you may copy an existing cookie in
> +/var/spool/mpd/.sndio/cookie.
> +
> +If you previously had mpd installed on your system, make sure the home
> +directory of the _mpd user is actually /var/spool/mpd.
more specifics might be helpful..
""
sndiod(8) normally only allows access to audio by a single system user
at a time. This is done by generating a random authentication token and
storing it in $HOME/.sndio/cookie when a user first accesses audio,
providing a limited capability to share with other users by copying
the token to their home directory. See AUTHENTICATION in sndio(7) for
more details.
If you want to share sndiod(8) access with mpd(1) running as the
default _mpd user, you may copy .sndio/cookie from your user's home
directory to /var/spool/mpd/.sndio/cookie.
If you previously had mpd installed on your system, make sure the home
directory of the _mpd user is actually /var/spool/mpd, or reset it
with:
# usermod -d /var/spool/mpd _mpd
""
But....
The problem with this is, on a multiuser system where you want to share
audio between mpd (or audio/squeezelite, which has the same problem) and
more than one user, you have to share a cookie between _mpd, user1 and
user2, so sndiod's privacy mechanism is nullified.
As an alternative, perhaps the mechanism sndiod now uses for root could be
extended for users specified on sndiod's command line. Stupid hardcoded
example for mpd, clearly not committable as-is, but demonstrating the concept.
Index: sock.c
===================================================================
RCS file: /cvs/src/usr.bin/sndiod/sock.c,v
retrieving revision 1.35
diff -u -p -r1.35 sock.c
--- sock.c 26 Apr 2020 14:13:22 -0000 1.35
+++ sock.c 26 Apr 2020 19:39:18 -0000
@@ -794,7 +794,8 @@ sock_auth(struct sock *f)
/*
* root bypasses any authenication checks and has no session
*/
- if (getpeereid(f->fd, &euid, &egid) == 0 && euid == 0) {
+ if (getpeereid(f->fd, &euid, &egid) == 0 &&
+ (euid == 0 || euid == 560)) {
f->pstate = SOCK_HELLO;
f->sesrefs = 0;
return 1;
