But if pam_console makes the locally logged-in user own /dev/rtc and be the only one able to read and write from it, doesn't your concern become moot?
Juan Quintela wrote: >>>>>> "guillaume" == Guillaume Rousse <[EMAIL PROTECTED]> writes: > > guillaume> Ainsi parlait Juan Quintela : >>> >>>>> "olivier" == Olivier Blin <[EMAIL PROTECTED]> writes: >>> >> >>> >> # RTC resolution >>> >> dev.rtc.max-user-freq = 1024 >>> >> >>> >> Could this setting be added in default sysctl.conf ? >>> > olivier> Thanks, but shouldn't this be the default in default security >>> level ? olivier> RTC works fine, but sysctl.conf need to be tweaked. > olivier> IMHO, the user shouldn't have to do that. >>> >>> Problem is that in a multiuser system, if you allow the value 1024, >>> you can create a DOS if several users use that. > guillaume> I guess most multimedia applications are only usable by local user, not a > guillaume> remote one, which means only one at a time. This should reduce DOS risks, > no? > > No. any user can do a very small script/c program an use the whole > number of timers. Machine is on its knees :( > > guillaume> What about adding this setting only through mplayer, tvtime > guillaume> and other packages requiring it %post/%postun facilities ? > > Really it is too agresive to set it _unconditionally_. > > >>> Default value of 64 should be enough except for single-user machines >>> running an _almost_ real time application. And yes, for today >>> machines, mplayer is still real-time like application. > guillaume> Not sure to understand what you mean there. > > That the value only make sense for single user machines, or for > machines when you trust all the users will not do something > dumb/trying to crash your server. > > Only way to handle it automagically is having a option in the > installer/MCC telling something like: > > - this is a mono-user system/I trust all the users > > Only other easy thing that I can think is teaching msec to set it at > the most "unsecure" level. And I am not sure that people will be > using that level at all :( > > Later, Juan. >
