Re: [pulseaudio-discuss] My computer thinks I'm schizophrenic, is PA for me?
On Mon, 19.04.10 19:23, Jan Braun (janbr...@gmx.de) wrote: 1;2400;0c> Lennart Poettering schrob: > > > ...and you're explicitly disallowing cross-user shm transfer. :( > > > I guess I'll have to figure out the security implications of messing > > > with that. > > > > Well, the story goes like this: we need to make sure that a user A > > cannot trigger a SIGBUS in processes by user B simply by ftruncating an > > shm region A controls and B maps and accesses. Since handling SIGBUS > > from a library context is ugly to impossible we hence generally don't > > allow shm data transfer between users. > > Thanks for the explanation. But this is only a DoS, isn't it? Yes, it is 'just' a DoS vulnerability. Lennart -- Lennart PoetteringRed Hat, Inc. lennart [at] poettering [dot] net http://0pointer.net/lennart/ GnuPG 0x1A015CC4 ___ pulseaudio-discuss mailing list pulseaudio-discuss@mail.0pointer.de https://tango.0pointer.de/mailman/listinfo/pulseaudio-discuss
Re: [pulseaudio-discuss] My computer thinks I'm schizophrenic, is PA for me?
On 19 Apr 2010, Lennart Poettering outgrape: > On Fri, 16.04.10 21:02, Jan Braun (janbr...@gmx.de) wrote: >> xterms ssh'd to otheru...@localhost . > > Why would you ssh to the local machine? 'cos it forwards your X cookie and authentication agent connection for you. (Of course you can do the X cookie with pam_xauth.so, but that is both rather new and also doesn't forward your authentication connection for you.) ___ pulseaudio-discuss mailing list pulseaudio-discuss@mail.0pointer.de https://tango.0pointer.de/mailman/listinfo/pulseaudio-discuss
Re: [pulseaudio-discuss] My computer thinks I'm schizophrenic, is PA for me?
Lennart Poettering schrob: > > ...and you're explicitly disallowing cross-user shm transfer. :( > > I guess I'll have to figure out the security implications of messing > > with that. > > Well, the story goes like this: we need to make sure that a user A > cannot trigger a SIGBUS in processes by user B simply by ftruncating an > shm region A controls and B maps and accesses. Since handling SIGBUS > from a library context is ugly to impossible we hence generally don't > allow shm data transfer between users. Thanks for the explanation. But this is only a DoS, isn't it? A can terminate B's audio applications. That's something I could happily live with, particularly as it means one of my personalities would need to use a malicious (mis-)implementation of the PA protocol. But of course, I see how you wouldn't want to oficcially distribute that, so I'll probably be compiling my own version of PA in the future. The joys of Free Software. :) Thanks again, Jan -- () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments signature.asc Description: Digital signature ___ pulseaudio-discuss mailing list pulseaudio-discuss@mail.0pointer.de https://tango.0pointer.de/mailman/listinfo/pulseaudio-discuss
Re: [pulseaudio-discuss] My computer thinks I'm schizophrenic, is PA for me?
On Mon, 19.04.10 18:09, Jan Braun (janbr...@gmx.de) wrote: > | /* Only enable SHM if both sides are owned by the same > | * user. This is a security measure because otherwise data > | * private to the user might leak. */ > | > | const pa_creds *creds; > | if (!(creds = pa_pdispatch_creds(pd)) || getuid() != creds->uid) > | do_shm = FALSE; > > ...and you're explicitly disallowing cross-user shm transfer. :( > I guess I'll have to figure out the security implications of messing > with that. Well, the story goes like this: we need to make sure that a user A cannot trigger a SIGBUS in processes by user B simply by ftruncating an shm region A controls and B maps and accesses. Since handling SIGBUS from a library context is ugly to impossible we hence generally don't allow shm data transfer between users. Lennart -- Lennart PoetteringRed Hat, Inc. lennart [at] poettering [dot] net http://0pointer.net/lennart/ GnuPG 0x1A015CC4 ___ pulseaudio-discuss mailing list pulseaudio-discuss@mail.0pointer.de https://tango.0pointer.de/mailman/listinfo/pulseaudio-discuss
Re: [pulseaudio-discuss] My computer thinks I'm schizophrenic, is PA for me?
Lennart Poettering schrob: > On Sat, 17.04.10 16:42, Jan Braun (janbr...@gmx.de) wrote: > > Hmm, why not? I've set up PA as you describe (except for the additional > > auth-group parameter), and PA is creating entries in /dev/shm , even for > > other users than "albert". > > The PA client libs always allocate their memory from an shm region, > regardless whether it is later used for data transfer or not. Yep, and I get: | D: protocol-native.c: Protocol version: remote 16, local 16 | I: protocol-native.c: Got credentials: uid=1002 gid=1002 success=1 | D: protocol-native.c: SHM possible: yes | D: protocol-native.c: Negotiated SHM: no So this looks like 2392 in protocol-native.c : | /* Only enable SHM if both sides are owned by the same | * user. This is a security measure because otherwise data | * private to the user might leak. */ | | const pa_creds *creds; | if (!(creds = pa_pdispatch_creds(pd)) || getuid() != creds->uid) | do_shm = FALSE; ...and you're explicitly disallowing cross-user shm transfer. :( I guess I'll have to figure out the security implications of messing with that. regards, Jan -- () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments signature.asc Description: Digital signature ___ pulseaudio-discuss mailing list pulseaudio-discuss@mail.0pointer.de https://tango.0pointer.de/mailman/listinfo/pulseaudio-discuss
Re: [pulseaudio-discuss] My computer thinks I'm schizophrenic, is PA for me?
Lennart Poettering schrob: > On Fri, 16.04.10 21:02, Jan Braun (janbr...@gmx.de) wrote: > > You see, currently I'm the only person with access to my desktop pc, > > but I have several user accounts on it[1]. And I use them all. > > Simultaneously. As in: several consoles open, often more than 1 xserver > > running, > > You know, they invented window managers that support multiple > workspaces. Fantastic stuff. You should try it once. I'm using one of them (ratpoison, calls it "groups"). But the point of having multiple xservers is having X running for different users. > > xterms ssh'd to otheru...@localhost . > > Why would you ssh to the local machine? Because su() doesn't play nice with programs requiring access to the terminal, e.g. screen(). > Anyway, having one user with a split personality and hence is actually > five users is certainly nothing I designed PA for. > > Sorry, No, problem, if passing around the cookie is a valid approach, then I'm happy. Jan -- () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments signature.asc Description: Digital signature ___ pulseaudio-discuss mailing list pulseaudio-discuss@mail.0pointer.de https://tango.0pointer.de/mailman/listinfo/pulseaudio-discuss
Re: [pulseaudio-discuss] My computer thinks I'm schizophrenic, is PA for me?
On Sat, 17.04.10 18:28, Tanu Kaskinen (ta...@iki.fi) wrote: > > On Sat, 2010-04-17 at 16:42 +0200, Jan Braun wrote: > > Hmm, why not? I've set up PA as you describe (except for the additional > > auth-group parameter), and PA is creating entries in /dev/shm , even for > > other users than "albert". > > Oh, maybe shm does work? I assumed that the logic was that only > connections from the same user could use shm, but maybe the logic is > that shm is forcibly disabled only in the system wide mode. We do compare the local and remote uid and refuse SHM if they don't match. On top of that we always disable SHM for root. Lennart -- Lennart PoetteringRed Hat, Inc. lennart [at] poettering [dot] net http://0pointer.net/lennart/ GnuPG 0x1A015CC4 ___ pulseaudio-discuss mailing list pulseaudio-discuss@mail.0pointer.de https://tango.0pointer.de/mailman/listinfo/pulseaudio-discuss
Re: [pulseaudio-discuss] My computer thinks I'm schizophrenic, is PA for me?
On Sat, 17.04.10 16:42, Jan Braun (janbr...@gmx.de) wrote: > > My suggestion is basically the same as your option 3, without the double > > mixing and tcp overhead (I'm not sure whether using the loopback > > interface has much more overhead than unix domain sockets, though - you > > still won't be able to use shared memory for audio transport). > > Hmm, why not? I've set up PA as you describe (except for the additional > auth-group parameter), and PA is creating entries in /dev/shm , even for > other users than "albert". The PA client libs always allocate their memory from an shm region, regardless whether it is later used for data transfer or not. Lennart -- Lennart PoetteringRed Hat, Inc. lennart [at] poettering [dot] net http://0pointer.net/lennart/ GnuPG 0x1A015CC4 ___ pulseaudio-discuss mailing list pulseaudio-discuss@mail.0pointer.de https://tango.0pointer.de/mailman/listinfo/pulseaudio-discuss
Re: [pulseaudio-discuss] My computer thinks I'm schizophrenic, is PA for me?
On Fri, 16.04.10 21:02, Jan Braun (janbr...@gmx.de) wrote: > Hi list, > and sorry for bringing up this topic again, but I'm another user who > has difficulties with PA's multi-user policy. > > You see, currently I'm the only person with access to my desktop pc, > but I have several user accounts on it[1]. And I use them all. > Simultaneously. As in: several consoles open, often more than 1 xserver > running, You know, they invented window managers that support multiple workspaces. Fantastic stuff. You should try it once. > xterms ssh'd to otheru...@localhost . Why would you ssh to the local machine? Anyway, having one user with a split personality and hence is actually five users is certainly nothing I designed PA for. Sorry, Lennart -- Lennart PoetteringRed Hat, Inc. lennart [at] poettering [dot] net http://0pointer.net/lennart/ GnuPG 0x1A015CC4 ___ pulseaudio-discuss mailing list pulseaudio-discuss@mail.0pointer.de https://tango.0pointer.de/mailman/listinfo/pulseaudio-discuss
Re: [pulseaudio-discuss] My computer thinks I'm schizophrenic, is PA for me?
'Twas brillig, and Tanu Kaskinen at 17/04/10 16:28 did gyre and gimble: > On Sat, 2010-04-17 at 16:42 +0200, Jan Braun wrote: >> Hmm, why not? I've set up PA as you describe (except for the additional >> auth-group parameter), and PA is creating entries in /dev/shm , even for >> other users than "albert". > > Oh, maybe shm does work? I assumed that the logic was that only > connections from the same user could use shm, but maybe the logic is > that shm is forcibly disabled only in the system wide mode. Just because the SHM space is allocated, doesn't mean it's used. I suspect it's not actually used and the data is being copied around. Could be wrong tho'. -- Colin Guthrie gmane(at)colin.guthr.ie http://colin.guthr.ie/ Day Job: Tribalogic Limited [http://www.tribalogic.net/] Open Source: Mandriva Linux Contributor [http://www.mandriva.com/] PulseAudio Hacker [http://www.pulseaudio.org/] Trac Hacker [http://trac.edgewall.org/] ___ pulseaudio-discuss mailing list pulseaudio-discuss@mail.0pointer.de https://tango.0pointer.de/mailman/listinfo/pulseaudio-discuss
Re: [pulseaudio-discuss] My computer thinks I'm schizophrenic, is PA for me?
On Sat, 2010-04-17 at 16:42 +0200, Jan Braun wrote: > Hmm, why not? I've set up PA as you describe (except for the additional > auth-group parameter), and PA is creating entries in /dev/shm , even for > other users than "albert". Oh, maybe shm does work? I assumed that the logic was that only connections from the same user could use shm, but maybe the logic is that shm is forcibly disabled only in the system wide mode. > Yep, this is exactly what I was looking for. "not perfecly" because > consolekit may be confused about whether albert should be considered > logged in, I guess? Hmm, I'll see... Pulseaudio suspends the access to the sound card when it detects that it doesn't have access to it anymore (this feature doesn't directly use consolekit, but consolekit is still a requirement for this to actually work). When albert is in the audio group, it never loses access rights to the sound card, so if albert plays something while another user logs in, the logged in user can't use the sound card. Don't log in with any of your alter egos simultaneously with other people, and you should be fine. > Yes, and just what I wanted. But the behaviour of new users can be > easily adjusted by modifying /etc/pulse/client.conf . > So how exactly is this better than system mode? Or isn't it? > I'm confused. I rely on http://pulseaudio.org/wiki/WhatIsWrongWithSystemMode for judging this: * Most of the security issues are not so relevant, because only you can access pulseaudio when you're logged in (although, the security concerns probably have some relevance, because if I understood correctly, you don't fully trust all your alter egos). * Module loading is allowed (it can be allowed for system wide mode too with configuration, though) * Apparently you are able to use shm. * In case you add other people at some point to your system, your personal settings stay separated. * Consolekit integration works to some extent. * Bridging to jack and rygel may also work (I'm not sure, though). -- Tanu Kaskinen ___ pulseaudio-discuss mailing list pulseaudio-discuss@mail.0pointer.de https://tango.0pointer.de/mailman/listinfo/pulseaudio-discuss
Re: [pulseaudio-discuss] My computer thinks I'm schizophrenic, is PA for me?
Tanu Kaskinen schrob: > On Fri, 2010-04-16 at 21:02 +0200, Jan Braun wrote: > > *** Now is your chance to say "that's insane, and we don't support it" > > I can't say it's insane, otherwise I'd be admitting that I've been > insane in the past :) Well, you could say you've seen the error of your ways. ;) > But we still don't support it. (Well, that depends > on what "support" means, but since you've successfully been using the > system mode, and you think we don't support it, I guess your definition > of "support" means something like "the use case is important to us".) Exactly. > > 3) per-user-pulseaudio, one with access to the hw, other users send to > >that one via network/localhost. Also mixes twice, and (almost) > >every sound data is pushed through lo. Unless PA recognzes lo and > >optimizes for that case? Also needs that one user to be logged in > >always (that's easily done, however).[2] > > My suggestion is basically the same as your option 3, without the double > mixing and tcp overhead (I'm not sure whether using the loopback > interface has much more overhead than unix domain sockets, though - you > still won't be able to use shared memory for audio transport). Hmm, why not? I've set up PA as you describe (except for the additional auth-group parameter), and PA is creating entries in /dev/shm , even for other users than "albert". > Let's say your always-logged-in user, [...] > That should be it. I didn't test any of this, so this probably doesn't > work, at least at the first try. It did (well, almost.. I also had to disable PA auto-exiting, otherwise it stopped mysteriously working after a short time ;) > Wasn't this supposed to be a single-person system? It currently is. But I'd like to be able to allow others access in the future. Sorry if that was unclear. > My suggestion should > be safer than the system wide mode, but my suggestion doesn't work > perfectly with multiple real persons who don't all use albert's > pulseaudio. It may work well enough, though. Yep, this is exactly what I was looking for. "not perfecly" because consolekit may be confused about whether albert should be considered logged in, I guess? Hmm, I'll see... > > So, do you think my scenario is valid? > > At least I don't see your scenario as an important case to support. If it works by copying around pulse-cookie (or even better, auth-group), that's good enough for me. I just didn't like the big warning signs on system mode. > Yes, this is very similar to the system wide mode. The main difference > is that when creating new users, they by default use their own > pulseaudio instances. Yes, and just what I wanted. But the behaviour of new users can be easily adjusted by modifying /etc/pulse/client.conf . So how exactly is this better than system mode? Or isn't it? I'm confused. But thanks for your detailed how-to, Jan -- () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments signature.asc Description: Digital signature ___ pulseaudio-discuss mailing list pulseaudio-discuss@mail.0pointer.de https://tango.0pointer.de/mailman/listinfo/pulseaudio-discuss
Re: [pulseaudio-discuss] My computer thinks I'm schizophrenic, is PA for me?
[I accidentally sent this only to Marti, you're getting it twice, sorry] Marti Raudsepp schrob: > Can't you just copy ~/.pulse-cookie to all users' profiles, so > everyone can access anyone else's PA daemon? It works for me, but I'm > just using different user accounts within one X session. Oops, you're exactly right. Even better, the auth-group parameter does exactly what I need: allows access to all users in the jbraun group, without manual copying of the cookie. :) Thanks for the quick answer! Jan P.S.: relevant lines for the benefit of others with the same problem: ~jani/.pulse/default.pa : | load-module module-native-protocol-unix socket=/home/jani/.pulse-native auth-group=jbraun .bashrc (of all my users): | export PULSE_SERVER='unix:/home/jani/.pulse-native' -- () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments signature.asc Description: Digital signature ___ pulseaudio-discuss mailing list pulseaudio-discuss@mail.0pointer.de https://tango.0pointer.de/mailman/listinfo/pulseaudio-discuss
Re: [pulseaudio-discuss] My computer thinks I'm schizophrenic, is PA for me?
On Fri, 2010-04-16 at 21:02 +0200, Jan Braun wrote: > Hi list, > and sorry for bringing up this topic again, but I'm another user who > has difficulties with PA's multi-user policy. > > You see, currently I'm the only person with access to my desktop pc, > but I have several user accounts on it[1]. And I use them all. > Simultaneously. As in: several consoles open, often more than 1 xserver > running, xterms ssh'd to otheru...@localhost . > > *** Now is your chance to say "that's insane, and we don't support it" I can't say it's insane, otherwise I'd be admitting that I've been insane in the past :) But we still don't support it. (Well, that depends on what "support" means, but since you've successfully been using the system mode, and you think we don't support it, I guess your definition of "support" means something like "the use case is important to us".) > So, I want sound. For all of my accounts. Concurrently - I'm logged in > concurrently, and e.g. email/IM notifications need to work especially > when the email-account is not "active". And my xmms2d needs to run as > one (arbitrary, but fixed) user too, me switching between different > windows/consoles/xservers mustn't prevent it from playing continuously. > > So, how does PA fit in here? > 1) Currently, I run it in system mode. Only system mode has grown pretty >scary warning signs. And you could reasonably break it altogether, >say "we told you so", and I'd get to keep the pieces. Not my >favourite prospect. > 2) per-user-pulseaudio on top of dmix. "causes global warming", mixes >sound twice, also not a nice solution. > 3) per-user-pulseaudio, one with access to the hw, other users send to >that one via network/localhost. Also mixes twice, and (almost) >every sound data is pushed through lo. Unless PA recognzes lo and >optimizes for that case? Also needs that one user to be logged in >always (that's easily done, however).[2] > 4) Your suggestion? My suggestion is basically the same as your option 3, without the double mixing and tcp overhead (I'm not sure whether using the loopback interface has much more overhead than unix domain sockets, though - you still won't be able to use shared memory for audio transport). Let's say your always-logged-in user, that provides the central pulseaudio server, has username "albert". Make sure albert belongs in the "audio" group (that should ensure that albert always has access to the sound card). Similar to what Marti suggested, copy albert's ~/.pulse-cookie to each user's home directory. Additionally, you'll need to change the load-module module-native-protocol-unix line in /home/albert/.pulse/default.pa so that it uses a static location for the socket that clients connect to. (If that file doesn't exist, copy it from /etc/default.pa.) I think a location under albert's home directory is the best choice (you'll of course need to chmod the location to be accessible to all users who need to connect to albert's pulseaudio): load-module module-native-protocol-unix socket=/home/albert/.pulse/connect-to-me Then put this to to each user's ~/.pulse/client.conf: default-server = unix:/home/albert/.pulse/connect-to-me That should be it. I didn't test any of this, so this probably doesn't work, at least at the first try. > I'm seriously trying to find the proper way to use PA, and would love to > be able to add accounts for other persons and have security against them > eavesdropping etc.. Wasn't this supposed to be a single-person system? My suggestion should be safer than the system wide mode, but my suggestion doesn't work perfectly with multiple real persons who don't all use albert's pulseaudio. It may work well enough, though. > But my impression is PA is designed for multiple seats > per computer and for multiple persions per seat (i.e. fast user switching). > And it's not designed for multiple accounts per person. > > So, do you think my scenario is valid? At least I don't see your scenario as an important case to support. > Plus I feel I'm recreating system mode here.. name the user with access > to the hw "pulse" and optimize the local pa deamons away, and we're > there. Yes, this is very similar to the system wide mode. The main difference is that when creating new users, they by default use their own pulseaudio instances. -- Tanu Kaskinen ___ pulseaudio-discuss mailing list pulseaudio-discuss@mail.0pointer.de https://tango.0pointer.de/mailman/listinfo/pulseaudio-discuss
Re: [pulseaudio-discuss] My computer thinks I'm schizophrenic, is PA for me?
On Fri, Apr 16, 2010 at 10:02 PM, Jan Braun wrote: > You see, currently I'm the only person with access to my desktop pc, > but I have several user accounts on it[1]. And I use them all. > Simultaneously. As in: several consoles open, often more than 1 xserver > running, xterms ssh'd to otheru...@localhost . > 4) Your suggestion? Can't you just copy ~/.pulse-cookie to all users' profiles, so everyone can access anyone else's PA daemon? It works for me, but I'm just using different user accounts within one X session. Regards, Marti ___ pulseaudio-discuss mailing list pulseaudio-discuss@mail.0pointer.de https://tango.0pointer.de/mailman/listinfo/pulseaudio-discuss
[pulseaudio-discuss] My computer thinks I'm schizophrenic, is PA for me?
Hi list, and sorry for bringing up this topic again, but I'm another user who has difficulties with PA's multi-user policy. You see, currently I'm the only person with access to my desktop pc, but I have several user accounts on it[1]. And I use them all. Simultaneously. As in: several consoles open, often more than 1 xserver running, xterms ssh'd to otheru...@localhost . *** Now is your chance to say "that's insane, and we don't support it" So, I want sound. For all of my accounts. Concurrently - I'm logged in concurrently, and e.g. email/IM notifications need to work especially when the email-account is not "active". And my xmms2d needs to run as one (arbitrary, but fixed) user too, me switching between different windows/consoles/xservers mustn't prevent it from playing continuously. So, how does PA fit in here? 1) Currently, I run it in system mode. Only system mode has grown pretty scary warning signs. And you could reasonably break it altogether, say "we told you so", and I'd get to keep the pieces. Not my favourite prospect. 2) per-user-pulseaudio on top of dmix. "causes global warming", mixes sound twice, also not a nice solution. 3) per-user-pulseaudio, one with access to the hw, other users send to that one via network/localhost. Also mixes twice, and (almost) every sound data is pushed through lo. Unless PA recognzes lo and optimizes for that case? Also needs that one user to be logged in always (that's easily done, however).[2] 4) Your suggestion? 5) Ok, you get another chance to say "Jan, that usage scenario is insane" I'm seriously trying to find the proper way to use PA, and would love to be able to add accounts for other persons and have security against them eavesdropping etc.. But my impression is PA is designed for multiple seats per computer and for multiple persions per seat (i.e. fast user switching). And it's not designed for multiple accounts per person. So, do you think my scenario is valid? Do you (plan to) support it? Do you recommend one of the above solutions over the others? thanks and regards, Jan [1] One for email, IM etc. One for hobby programming/sysadmin stuff. One for work. One for games. [2] Plus I feel I'm recreating system mode here.. name the user with access to the hw "pulse" and optimize the local pa deamons away, and we're there. -- () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments signature.asc Description: Digital signature ___ pulseaudio-discuss mailing list pulseaudio-discuss@mail.0pointer.de https://tango.0pointer.de/mailman/listinfo/pulseaudio-discuss