Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove nogroups from audio player profiles #2096

Closed
wants to merge 1 commit into from
Closed

Remove nogroups from audio player profiles #2096

wants to merge 1 commit into from

Conversation

manevich
Copy link
Contributor

nogroups breaks ALSA since many distros set 660 mode and root:audio as owner:group on /dev/snd/* ALSA files.

@chiraag-nataraj
Copy link
Collaborator

As I commented in #2042, I don't think this should be default, since nogroups provides a decent amount of security. We should probably document this somewhere (maybe once we get #2090 rolling?), but I don't think this is appropriate to do by default.

@manevich
Copy link
Contributor Author

But with nogroup audio/video player profiles are just broken. No sound for audio/video player means broken.
Is there some better way to fix it?
As far as I know most, if not all, major distros use permissions like I described on /dev/snd/* files.

@SkewedZeppelin
Copy link
Collaborator

SkewedZeppelin commented Aug 24, 2018
edited by chiraag-nataraj
Loading

Is there some better way to fix it?

echo "ignore nogroups" > /etc/firejail/globals.local
or
echo "ignore nogroups" | sudo tee /etc/firejail/globals.local

@Vincent43
Copy link
Collaborator

As far as I know most, if not all, major distros use permissions like I described on /dev/snd/* files.

Also all major distros use pulseaudio as default and this issue is irrelevant for them 😄

@manevich
Copy link
Contributor Author

@SkewedZeppelin
I already fixed it for me like this echo "ignore nogroups" > /etc/firejail/audacious.local, that not the problem.
Problem is that profiles shipped with firejail are still broken.
@chiraag-nataraj
Are you sure audio/video players should be prevented from accessing ALSA device files by default?
Also many current profiles (like vlc) don't have nogroups set.

@SkewedZeppelin
Copy link
Collaborator

nogroups was disabled in vlc in 4a1d906
that was almost 2 years ago, we should enable it again after 0.9.56

@chiraag-nataraj
Copy link
Collaborator

Problem is that profiles shipped with firejail are still broken.

You're being disingenuous though. As @Vincent43 pointed out, all major distros ship with PulseAudio by default, and nogroups doesn't affect PulseAudio systems. So no, they're not broken on major distros by default.

Are you sure audio/video players should be prevented from accessing ALSA device files by default?

No. But nogroups doesn't just enable access to ALSA device files (again, as I pointed out in that issue). The real long-term solution here is to develop a --groups/groups set of options which lets the user specify which groups should be included.

And yeah, as @SkewedZeppelin said, we should really enable nogroups for VLC.

@manevich
Copy link
Contributor Author

OK, closed.

@manevich manevich closed this Aug 24, 2018
@D-Nice
Copy link

D-Nice commented Dec 11, 2018
edited
Loading

Don't mean to bring this back from the dead, but what is the opinion of removing nogroups from browser profiles like chromium, which run into similar issues. Or should that be a user-based exception due to potential risks? And a better alternative be being able to specify groups eventually.

@Vincent43
Copy link
Collaborator

I think it should be user-based exception, similarly. Of course the best solution would be to stop relying on legacy group ownership for audio access 😄.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@manevich @chiraag-nataraj @SkewedZeppelin @Vincent43 @D-Nice