TITLE: dsp+devfsd LFS VERSION: all AUTHOR: Joris Vankerschaver SYNOPSIS: When using a regular /dev directory, all one needs to do to allow non root users access to sound is to set permissions on the audio devices. Devfsd, however, creates devices on the fly and so we need a way of telling devfsd when and how to create these devices. This hint describes how to set up devfsd to automatically 1) set permissions on /dev/dsp appropriately to allow non root users access to /dev/dsp. 2) load the relevant modules (if any) when an application tries to open /dev/dsp. This hint does not cover setting up esd or any other sound daemon. It might, though, if someone wants to write an update :) You need: devfsd and a kernel compiled with sound support (either module or compiled in). THANKS TO: Robert Bracewell, for pointing out an inaccuracy in step 1. HINT: 1) Add a group 'audio' and a user 'audio': groupadd audio useradd -g audio audio 2) Add every user that requires audio access to the audio group. Open /etc/group and just add the login names (separated by commas) to the line that starts with 'audio' 3) Load /etc/devfsd.conf in your favourite editor and append the following line: REGISTER sound/.* PERMISSIONS audio.audio rw-rw---- When using the default namespace, devfs keeps all the audio related files under /dev/sound. The above command will cause devfsd to change the permissions on /dev/sound/* from root.root and rw------- to audio.audio, rw-rw----. To maintain compatibility, devfs creates a symlink from /dev/dsp to /dev/sound/dsp (That is, if you haven't messed with the options in /etc/devfsd.conf. But then you don't need this hint :)). This line instructs devfsd to change the permissions on every file in the /dev/sound/ directory, every time a driver registers these devices (that is, every time the sound module or the kernel is loaded). Note: the line says 'sound/.*' and NOT '/dev/sound/.*'! Devfs will not issue a warning if you make a mistake there and you will spend many hours hunting bugs (that aren't). 4) If you have compiled sound support into the kernel, you're done. Just send a SIGHUP signal to devfsd (killall -HUP devfsd) and you are ready to play. If you're like me and you have compiled sound support as a module, the trouble begins. Apparently, the lookup of /dev/dsp isn't enough to trigger the module autoloader. So you need to have the relevant modules already in place to have devfsd automatically create all the necessary devices and links. First of all, you need to know what your soundcard module is called. If you don't know, go check in /lib/modules/2.4.[minor]/kernel/drivers/sound. In my case, this module is called 'sb.o'. It's very important that you pick the actual module itself, and not some support module. If you're not sure, modprobe 'em all and then inspect the output of lsmod to check for a sound module that doesn't depend on the others. 5) Create a shell script with approximately the following contents: --BEGIN-- #!/bin/sh sound_mod=[YOUR MOD NAME HERE] pres=`lsmod | grep "^$sound_mod\ " | tr -d '[:space:]'` if [ -z $pres ]; then modprobe $sound_mod fi --END-- I called this script 'safe_sb_load' and put it in /usr/sbin. Of course, you might think of something better. Don't forget to make this script executable (chmod +x /usr/sbin/safe_sb_load) Note: the name of the module is the name as listed by lsmod. So in my case, it's 'sb', and NOT 'sb.o', NOT '/lib/modules/.../sb.o', etc. This is also very important. 6) Add the following line to /etc/devfsd.conf: LOOKUP dsp EXECUTE safe_sb_load This, of course, assumes that safe_sb_load is in a default path. As a matter of fact, step 5 is somewhat redundant, since we might have put in 'EXECUTE modprobe sb' instead of redirecting it to safe_sb_load. With a script however, you can do some error checking (as we do in step 5), or add other commands (logging, loading of other programs). Do as you wish. 7) Restart devfsd. If all goes well, you will now have sound without suid-root scripts and without unsafe permissions in your /dev directory. Finally) You can improve upon this scenary in many ways. For example, you might want to create two groups in step one, one with read/write access and one with read access only. Happy tweaking!