What Jack O'Quin is suggesting is security through wishful thinking.
Either you trust your users to responsibly use real-time scheduling
or you don't. If you do, the supplementary groups approach is
exactly right. If you don't, then you must restrict the capability
using secure, verifiable means.
No approach that involves making well over a million lines of
library code setgid (your app, the toolkit, font handling, Xlib, theme
engines, input methods, etc, etc.) is ever going to meet those
Many of the developments in Linux security recently - whether it
be SELinux, exec-shield, or whatever are about providing mechanisms
that reduce the amount of code that could conceivably cause problems.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds