[systemd-devel] Automatic user ACL management
Lennart Poettering
lennart at poettering.net
Mon May 18 08:40:39 PDT 2015
On Sun, 17.05.15 14:20, Mikhail Morfikov (mmorfikov at gmail.com) wrote:
> allow-module-loading = no
> allow-exit = no
> system-instance = yes
> enable-shm = no
> exit-idle-time = -20
>
> then I started pulseaudio in the system mode and I was able to play
> sound all the time. But there's another question -- is there any
> difference between pulseaudio in system mode and pulseaudio in user
> mode + adding specific users to the "audio" group? I mean in the link I
> had given in the previous post, you can read something like this: "By
> the way, you don't want users permanently added to groups like audio or
> video. Such user would be able to ssh into the machine while you are
> using it and spy on you using webcam, microphone etc. Access to such
> critical peripherals should only be granted for active user." Does this
> concern pulseaudio in the system mode with users added to the
> pulse-access group?
pulseaudio does not implementd a user identity framework, it will not
track which user is on which seat. Hence you should not use system
mode, since it gives everybody with access to it, complete access to
everything it manageds, without any further restrictions.
PA system mode is for devices that have no sessions, and not for
multi-user PCs, even if some people misuse it for that.
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list