This Time Self-Hosted
dark mode light mode Search

Problems running timidity++ with PulseAudio

Almost any modern soundcard seems not to provide any MIDI playback support, at least not through an hardware synthesizer, with the exclusion of a few Creative Labs cards like the ones based on Emu10k1.

For any other card, the Gentoo ALSA guide suggests to use timidity++, a software synthesizer that takes care of playing the MIDI for you. I took care of it for a while before, I wrote the eselect timidity module exactly one year ago, to allow choosing the patchset to be used.

Today I was looking for cleaning up old versions and seen there was still a bug open that needed to be addressed. While preparing to test a solution, I found one big flaw in the way we let users use timidity at the moment. A flaw that should be addressed as soon as possible.

So, I noticed the flaw by the fact that timidity failed to work with PulseAudio started. Sure enough, it tries to use the default ALSA device, which is the pulse plugin to send audio to PulseAudio. And root is not allowed to use pulseaudio, as it’s not in the pulse-access group.

Let’s take half a step back. root? Yes. We’re leaving users to send MIDI data to a software that runs as root. Do you see the implication? If there was an exploitable vulnerability in timidity, it could allow to compromise the root user.

So here is the problem: we’re not running with the minimal privileges possible, we’re running timidity as root. And this is not good at all. My TODO list now has on its top having timidity work without starting as root. Defining a timidity user to run with, user that you can easily add to pulse-access group to use PulseAudio, user that is not a big deal to compromise at that point.

So expect a new timidity++ revision in tree before night, with some improvements for the ALSA software synthesizer!

Comments 3
  1. Do most users really need to run the timidity as a daemon though? If all you want to do is play a few MIDIs, it can just be run as-needed. For anything more serious, the daemon could be useful but I know I’d prefer to use a hardware solution. Still, if it’s possible to improve timitidy anyway, go for it. (-:

  2. actually wheb you started to write about pulseaudio months ago i took it for a spin.pulseaudio was (is?) holding an exclusive lock on the audio card, and anything not supporting it was unable to make any sound. so using it was a bit impractical for me and i ditched it.that timidity thing kind of reminded me of that.

  3. Of course PulseAudio takes exclusive access to the soundcard. That’s why the suggested configuration tells you to set the default PCM device for ALSA to be the pulse plugin, this way you have seamless PulseAudio integration in ALSA applications.And while MIDI background music is not really used seriously anymore, anyone wanting MIDI support through ALSA should use TiMidity++ as a daemon.I agree, though, that most of the common setups will NOT have MIDI support at all, included midi USE flag disabled. And those wanting serious MIDI support would probably be using fluidsynth if not HW-capable MIDI.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.