# Audio/microphone security, group level restriction



## eldaemon (Apr 29, 2020)

I just realized that the mixer can be adjusted by any user and any user can listen to the microphone on my system. Even a sandbox user, unless chrooted or jailed, could spy on me.

Is there a way to adjust /dev/dsp permissions so access requires an audio group? Would I use /etc/devfs.conf for that? I haven't used devfs before.

Just surprised I haven't found any kind of a writeup on this yet. I'm not sure if it's the best default behavior from a security standpoint.

Thank you!


----------



## Alain De Vos (Apr 29, 2020)

I never tried it. You could try in devs.conf
own       /dev/dspX      root:audio
perm      /dev/dspX     0660

Or in devs.rules
add path 'dspX' mode 0660 group audio


----------



## eldaemon (Apr 30, 2020)

Thank you!

I love FreeBSD. That was so simple. First time tinkering with devfs.

I decided to allow everyone to play audio but only a microphone group to listen. Ideally, would have a sound group and a sound+microphone group but not immediately certain how I would do that. I also have mixer access restricted to root and wheel.

I used devfs.rules since audio devices will come and go for me.

Create microphone group:
`pw group add microphone`

/etc/devfs.rules


```
[localrules=10]
add path 'dsp*' mode 0662 group microphone
add path 'mixer*' mode 0660
```

/etc/rc.conf

```
devfs_system_ruleset="localrules"
```

`service restart devfs`


----------

