Luca Berra <[EMAIL PROTECTED]> wrote: > On Sat, Sep 06, 2003 at 01:54:47PM +0159, Han Boetes wrote: > > > device ) , what do you tink to segid "video" tvtime like cdrecord ? > > > like this : root.video rws r-s r-x ? > > > > That's too much. You don't give an app root permissions when it > > needs real time priority, you give it real time priority. IE make a > > wrapper. > > you mean a wrapper that gives the app CAP_SYS_NICE, or one that sets > realtime and execs tvtime. > might as well have tvtime doing > nice(); > setresgid(); > setresuid(); > at the very beginning, if it doesn't already. > > in the first case we might consider using capsel, a kernel module that > sets capabilities on processes based on a configuration file thus > avoiding the need to write a wrapper for many apps.
Yes I realize this has to be done in C, I think this might actually benefit other apps like cdrecord as well. But I don't want to exclude the possibility there are even better solutions. I just get paranoid as soon as suid is being suggested/used. I'd rather think twice before giving it. A wrapper like that would have made the recent cdrecord-update less necesarry I think. # Han -- http://www.xs4all.nl/~hanb/software http://www.xs4all.nl/~hanb/documents/quotingguide.html
