Saturday, January 11, 2014

pulseaudio allow any users to access sound card

To run PulseAudio in system-wide mode, start it as root and pass the --system argument to it. It will then drop priviliges and change to the pulse UNIX user and group. The directory /var/run/pulse/ is used as home directory. In this mode the module module-native-protocol-unix will automatically allow access to all members of the group pulse-access. All user/group names and paths can be changed by passing compile-time arguments to configure. The system user pulse and the groups pulse and pulse-access need to be created manually. On Debian this works like this:

addgroup --system pulse
adduser --system --ingroup pulse --home /var/run/pulse pulse
addgroup --system pulse-access

# Some distributions restrict access to the sound devices to a group audio
adduser pulse audio

# Add a user to the pulse-access group
adduser lennart pulse-access

The runtime directory /var/run/pulse is created automatically on daemon startup. This directory contains the .esd_auth file, which is the authentication cookie for esound. If you want to use esound without disabling authentication, create a symlink from this file in your home directory:

ln -sf /var/run/pulse/.esd_auth ~/.esd_auth
If the system-wide mode is enabled it is advisable to disable module loading during runtime by passing --disallow-module-loading to the daemon, to inhibit the user from loading arbitrary modules with potentially vulnerable code into the daemon. However, this might break some modules like module-hal-detect which will load a sound driver module each time HAL signals that a new sound card became available in the system.

No comments:

Post a Comment