Audio/microphone security, group level restriction

E

eldaemon

I just realized that the mixer can be adjusted by any user and any user can listen to the microphone on my system. Even a sandbox user, unless chrooted or jailed, could spy on me.

Is there a way to adjust /dev/dsp permissions so access requires an audio group? Would I use /etc/devfs.conf for that? I haven't used devfs before.

Just surprised I haven't found any kind of a writeup on this yet. I'm not sure if it's the best default behavior from a security standpoint.

Thank you!
 
I never tried it. You could try in devs.conf
own /dev/dspX root:audio
perm /dev/dspX 0660

Or in devs.rules
add path 'dspX' mode 0660 group audio
 
Thank you!

I love FreeBSD. That was so simple. First time tinkering with devfs.

I decided to allow everyone to play audio but only a microphone group to listen. Ideally, would have a sound group and a sound+microphone group but not immediately certain how I would do that. I also have mixer access restricted to root and wheel.

I used devfs.rules since audio devices will come and go for me.

Create microphone group:
pw group add microphone

/etc/devfs.rules

Code: 
[localrules=10]
add path 'dsp*' mode 0662 group microphone
add path 'mixer*' mode 0660

/etc/rc.conf
Code: 
devfs_system_ruleset="localrules"

service restart devfs
 
You must log in or register to reply here.
Back
Top