Creating a jackuser group

[Davide Bolcioni]

On Monday 19 February 2007 22:47:25 Anthony Green wrote:
> On Mon, 2007-02-19 at 19:01 +0100, Davide Bolcioni wrote:
> >  I think this is not necessary
> > provided we have:
> >
> >   /usr/bin/qjackctl -> consolehelper
> >   /usr/sbin/qjackctl
> >   /etc/pam.d/qjackctl
> >
> > so that when a normal user invokes qjackctl, consolehelper kicks in and
> > authenticates against PAM (this step could be skipped if qjackctl, by
> > himself, explicitly used PAM for authentication). Then we would have
> > something (warning: UNTESTED) along the lines of
> >
> > %PAM-1.0
> > auth       sufficient   pam_rootok.so
> > auth       required     pam_console.so
> > account    required     pam_permit.so
> > session required pam_limits.so conf=/etc/security/qjackctl.conf
> >
> > in /etc/pam.d/qjackctl.
>
> I tried this (but with jackd instead of qjackctl).  It works as
> advertised after I created an empty
> file /etc/security/console.apps/jackd.
>
> Pardon my ignorance, but one thing I noticed is that it actually runs
> jackd as root, which means that the user can't terminate it with Ctrl-C.
> Is this expected and is there a solution?

I believe consolehelper(8) is intended to do exactly that, see userhelper(8) 
which is the workhorse invoked by consolehelper(8).

It might be that setting
USER="<user>"
in /etc/security/console.apps/jackd as documented in userhelper(8) would 
launch it as the console user; I do not know if this would cause the attempt 
to set memlock and rtprio to fail because of insufficient privileges, 
however.

If jackd, as the name seems to suggest, is a daemon (listens for commands), 
this approach might be insecure, or at least way outside the original design 
framework of consolehelper(8), and should probably be reviewed by someone 
more knowledgeable in such matters.

Davide Bolcioni
-- 
There is no place like /home.