Re: [Cooker] perms on /dev/rtc device
On Sat, 6 Sep 2003, Frederic Crozat wrote: Yeah, I saw that but I don't think it is related to /dev/rtc.. tvtime is probably trying to nice itself to real-time, which is only permitted for root. Anyway, it still works great and latest version has now a menu.. I think we will soon be able to replace xawtv with tvtime as the default TV app :) Perhaps you can use a suid wrapper like jackd does on kernel-multimedia with setpcap ? That way, it does not need to be root. Austin?
Re: [Cooker] perms on /dev/rtc device
I'm not sure if it is a security risk or not.. Let's first try the safest solution :) mplayer works perfeclty, but there is still a problem with tvtime I get this error from mplayer : Linux RTC init error in ioctl (rtc_irqp_set 1024): Permission denied Try adding echo 1024 /proc/sys/dev/rtc/max-user-freq to your system startup scripts. Perms on rtc looks fine $ ls -l /dev/rtc crw---1 olivier video 10, 135 mai 18 07:03 /dev/rtc What perms need to be tweaked to allow this iotcl ? -- Olivier Blin
Re: [Cooker] perms on /dev/rtc device
Ainsi parlait Olivier Blin : What perms need to be tweaked to allow this iotcl ? Not a perm problem. Just add the following in your /etc/sysctl.conf: # RTC resolution dev.rtc.max-user-freq = 1024 Could this setting be added in default sysctl.conf ? -- Guillaume Rousse Scattered light never gets into your setup where it is possible -- Ralf's Laws of Observational Astronomy n°8
Re: [Cooker] perms on /dev/rtc device
# RTC resolution dev.rtc.max-user-freq = 1024 Could this setting be added in default sysctl.conf ? Thanks, but shouldn't this be the default in default security level ? RTC works fine, but sysctl.conf need to be tweaked. IMHO, the user shouldn't have to do that. -- Olivier Blin
Re: [Cooker] perms on /dev/rtc device
Le Sat, 06 Sep 2003 03:28:38 +0200, Guillaume Rousse a écrit : Ainsi parlait Frederic Crozat : On Mon, 25 Aug 2003 12:14:34 +0200, Jan Ciger wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Frederic Crozat wrote: | console privilege != console user... | console privilege means this user is connected physically on the | system, either by using a text console or a graphical console | (gdm/kdm). Yes, that was what I meant (via pam_console). Is it necessary to limit read access to /dev/rtc to just locally logged in users ? I'm not sure if it is a security risk or not.. Let's first try the safest solution :) mplayer works perfeclty, but there is still a problem with tvtime (from contrib): Can't get realtime priority for better performance, need root access. Yeah, I saw that but I don't think it is related to /dev/rtc.. tvtime is probably trying to nice itself to real-time, which is only permitted for root. Anyway, it still works great and latest version has now a menu.. I think we will soon be able to replace xawtv with tvtime as the default TV app :) -- Frédéric Crozat MandrakeSoft
Re: [Cooker] perms on /dev/rtc device
Le Samedi 6 Septembre 2003 12:14, Frederic Crozat a écrit : I think we will soon be able to replace xawtv with tvtime as the default TV app :) [+] i agree ! -- Laurent Culioli :: [EMAIL PROTECTED]
Re: [Cooker] perms on /dev/rtc device
Le Samedi 6 Septembre 2003 12:14, Frederic Crozat a écrit : Yeah, I saw that but I don't think it is related to /dev/rtc.. tvtime is probably trying to nice itself to real-time, which is only permitted for root. Anyway, it still works great and latest version has now a menu.. I think we will soon be able to replace xawtv with tvtime as the default TV app :) in the faq ( http://tvtime.sourceforge.net/help.html#performance ) , there is somes tips to have better performance , but for maximum performance you need to run as root ( there is the same problem with cdrecord if you need to have high priority and buffer on cdwriter device ) , what do you tink to segid video tvtime like cdrecord ? like this : root.video rws r-s r-x ? -- Laurent Culioli :: [EMAIL PROTECTED]
Re: [Cooker] perms on /dev/rtc device
Laurent Culioli [EMAIL PROTECTED] wrote: Le Samedi 6 Septembre 2003 12:14, Frederic Crozat a écrit : Yeah, I saw that but I don't think it is related to /dev/rtc.. tvtime is probably trying to nice itself to real-time, which is only permitted for root. Anyway, it still works great and latest version has now a menu.. I think we will soon be able to replace xawtv with tvtime as the default TV app :) in the faq ( http://tvtime.sourceforge.net/help.html#performance ) , there is somes tips to have better performance , but for maximum performance you need to run as root ( there is the same problem with cdrecord if you need to have high priority and buffer on cdwriter device ) , what do you tink to segid video tvtime like cdrecord ? like this : root.video rws r-s r-x ? That's too much. You don't give an app root permissions when it needs real time priority, you give it real time priority. IE make a wrapper. # Han -- http://www.xs4all.nl/~hanb/software http://www.xs4all.nl/~hanb/documents/quotingguide.html
Re: [Cooker] perms on /dev/rtc device
Le Samedi 6 Septembre 2003 13:55, Han Boetes a écrit : That's too much. You don't give an app root permissions when it needs real time priority, you give it real time priority. IE make a wrapper. Do you mean a wrapper with kdesu/console-helper/... like rpmdrake ? -- Laurent Culioli :: [EMAIL PROTECTED]
Re: [Cooker] perms on /dev/rtc device
Ainsi parlait Han Boetes : Laurent Culioli [EMAIL PROTECTED] wrote: Le Samedi 6 Septembre 2003 12:14, Frederic Crozat a écrit : Yeah, I saw that but I don't think it is related to /dev/rtc.. tvtime is probably trying to nice itself to real-time, which is only permitted for root. Anyway, it still works great and latest version has now a menu.. I think we will soon be able to replace xawtv with tvtime as the default TV app :) in the faq ( http://tvtime.sourceforge.net/help.html#performance ) , there is somes tips to have better performance , but for maximum performance you need to run as root ( there is the same problem with cdrecord if you need to have high priority and buffer on cdwriter device ) , what do you tink to segid video tvtime like cdrecord ? like this : root.video rws r-s r-x ? That's too much. You don't give an app root permissions when it needs real time priority, you give it real time priority. IE make a wrapper. Can you explain it a bit more ? AFAIK, there is privilege separation in default kernel allowing to just give some root privileges, and not others. Moreover, tvtime seems to be designed to drop root privileges once real time priority acquired, see the URL above. -- Guillaume Rousse You can't run a barn without baling twine -- Murphy's Horse Laws n°15
Re: [Cooker] perms on /dev/rtc device
On Sat, Sep 06, 2003 at 01:54:47PM +0159, Han Boetes wrote: device ) , what do you tink to segid video tvtime like cdrecord ? like this : root.video rws r-s r-x ? That's too much. You don't give an app root permissions when it needs real time priority, you give it real time priority. IE make a wrapper. you mean a wrapper that gives the app CAP_SYS_NICE, or one that sets realtime and execs tvtime. might as well have tvtime doing nice(); setresgid(); setresuid(); at the very beginning, if it doesn't already. in the first case we might consider using capsel, a kernel module that sets capabilities on processes based on a configuration file thus avoiding the need to write a wrapper for many apps. regards, L. -- Luca Berra -- [EMAIL PROTECTED] Communication Media Services S.r.l. /\ \ / ASCII RIBBON CAMPAIGN XAGAINST HTML MAIL / \
Re: [Cooker] perms on /dev/rtc device
Luca Berra [EMAIL PROTECTED] wrote: On Sat, Sep 06, 2003 at 01:54:47PM +0159, Han Boetes wrote: device ) , what do you tink to segid video tvtime like cdrecord ? like this : root.video rws r-s r-x ? That's too much. You don't give an app root permissions when it needs real time priority, you give it real time priority. IE make a wrapper. you mean a wrapper that gives the app CAP_SYS_NICE, or one that sets realtime and execs tvtime. might as well have tvtime doing nice(); setresgid(); setresuid(); at the very beginning, if it doesn't already. in the first case we might consider using capsel, a kernel module that sets capabilities on processes based on a configuration file thus avoiding the need to write a wrapper for many apps. Yes I realize this has to be done in C, I think this might actually benefit other apps like cdrecord as well. But I don't want to exclude the possibility there are even better solutions. I just get paranoid as soon as suid is being suggested/used. I'd rather think twice before giving it. A wrapper like that would have made the recent cdrecord-update less necesarry I think. # Han -- http://www.xs4all.nl/~hanb/software http://www.xs4all.nl/~hanb/documents/quotingguide.html
Re: [Cooker] perms on /dev/rtc device
Ainsi parlait Frederic Crozat : On Mon, 25 Aug 2003 12:14:34 +0200, Jan Ciger wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Frederic Crozat wrote: | console privilege != console user... | console privilege means this user is connected physically on the | system, either by using a text console or a graphical console | (gdm/kdm). Yes, that was what I meant (via pam_console). Is it necessary to limit read access to /dev/rtc to just locally logged in users ? I'm not sure if it is a security risk or not.. Let's first try the safest solution :) mplayer works perfeclty, but there is still a problem with tvtime (from contrib): Can't get realtime priority for better performance, need root access. -- Guillaume Rousse If the vending machine actually has what you want, it will cost more than the amount of change that you have -- Murphy's Laws on Vending Machines n°3
Re: [Cooker] perms on /dev/rtc device
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Frederic Crozat wrote: |I guess some pam configuration could dynamically turn these perms for the |user, as for the audio devices. | | | Good idea, I was wondering the same thing yesterday.. I'll see with Fred | Lepied if we can add console privilege to that.. | Hmm, isn't it better to allow everybody to read /dev/rtc instead of just console user ? I do not think that it is a security hole and /dev/rtc could provide useful info for more things than for just mplayer running on the console that way. Jan - -- Jan Ciger VRlab EPFL Switzerland GPG public key : http://www.keyserver.net/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/SRY0n11XseNj94gRAjzdAJ9goiy8xpigvH9MJXv1+l2ZmXMpxgCfYwjZ TDlaeH+eIBgLjHDvSV4IabE= =v77n -END PGP SIGNATURE-
Re: [Cooker] perms on /dev/rtc device
Le Sun, 24 Aug 2003 21:47:00 +0200, Jan Ciger a écrit : -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Frederic Crozat wrote: |I guess some pam configuration could dynamically turn these perms for the |user, as for the audio devices. | | | Good idea, I was wondering the same thing yesterday.. I'll see with Fred | Lepied if we can add console privilege to that.. | Hmm, isn't it better to allow everybody to read /dev/rtc instead of just console user ? I do not think that it is a security hole and /dev/rtc could provide useful info for more things than for just mplayer running on the console that way. console privilege != console user... console privilege means this user is connected physically on the system, either by using a text console or a graphical console (gdm/kdm). -- Frédéric Crozat MandrakeSoft
Re: [Cooker] perms on /dev/rtc device
Am Sonntag, 24. August 2003 21:47 schrieb Jan Ciger: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Frederic Crozat wrote: |I guess some pam configuration could dynamically turn these perms | for the user, as for the audio devices. | | Good idea, I was wondering the same thing yesterday.. I'll see with | Fred Lepied if we can add console privilege to that.. Hmm, isn't it better to allow everybody to read /dev/rtc instead of just console user ? I do not think that it is a security hole and /dev/rtc could provide useful info for more things than for just mplayer running on the console that way. Jan I would suggest making it root.video as the devb devices should have that permission too and give the ordinary user membership in video. Why do we have the permissions if we don't use them ? Steffen
Re: [Cooker] perms on /dev/rtc device
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Frederic Crozat wrote: | console privilege != console user... | console privilege means this user is connected physically on the system, | either by using a text console or a graphical console (gdm/kdm). Yes, that was what I meant (via pam_console). Is it necessary to limit read access to /dev/rtc to just locally logged in users ? Jan - -- Jan Ciger VRlab EPFL Switzerland GPG public key : http://www.keyserver.net/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/SeGKn11XseNj94gRAsYYAKDu5jfFLInhPbMQD1CfcTCBHPRxKwCg0G37 Ckk1hyO/PjJwwQRVNg42ASY= =xHoN -END PGP SIGNATURE-
Re: [Cooker] perms on /dev/rtc device
On Mon, 25 Aug 2003 12:14:34 +0200, Jan Ciger wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Frederic Crozat wrote: | console privilege != console user... | console privilege means this user is connected physically on the system, | either by using a text console or a graphical console (gdm/kdm). Yes, that was what I meant (via pam_console). Is it necessary to limit read access to /dev/rtc to just locally logged in users ? I'm not sure if it is a security risk or not.. Let's first try the safest solution :) -- Frederic Crozat MandrakeSoft
Re: [Cooker] perms on /dev/rtc device
Frederic Crozat wrote: console privilege != console user... console privilege means this user is connected physically on the system, either by using a text console or a graphical console (gdm/kdm). That leaves out users connecting from x terminals. Bad. OTOH this is a case not easily solvable with pam_console in a generic way. In fact I think that pam_console is part of the problem, not part of the solution ;-) Bye -- Que les importa a las viudas, a los huérfanos, a los desvalidos si las masacres se hacen en nombre del totalitarismo o en el sagrado nombre de la libertad y la democracia. Mahatma Gandhi (1869 - 1948) pgp0.pgp Description: PGP signature
Re: [Cooker] perms on /dev/rtc device
Le Sun, 24 Aug 2003 20:31:40 +0200, Guillaume Rousse a écrit : Several multimedia applications use /dev/rtc, such as tvtime and mplayer. However, standard perms on this device doesn't allow its use: [EMAIL PROTECTED] linux]# ll /dev/misc/rtc crw-r-1 root root 10, 135 jan 1 1970 /dev/misc/rtc I guess some pam configuration could dynamically turn these perms for the user, as for the audio devices. Good idea, I was wondering the same thing yesterday.. I'll see with Fred Lepied if we can add console privilege to that.. -- Frédéric Crozat MandrakeSoft
[Cooker] perms on /dev/rtc device
Several multimedia applications use /dev/rtc, such as tvtime and mplayer. However, standard perms on this device doesn't allow its use: [EMAIL PROTECTED] linux]# ll /dev/misc/rtc crw-r-1 root root 10, 135 jan 1 1970 /dev/misc/rtc I guess some pam configuration could dynamically turn these perms for the user, as for the audio devices. -- Guillaume Rousse Sex is hereditary -- Murphy's Laws on Sex n°20