The short version
As a practical rule of thumb for Debian and Ubuntu systems, there should be no users in the audio group.
Being in the audio group is the same as having selected "use audio devices" under "User administration" -> "Advanced" -> "Privileges". In other words, this checkbox should not be checked.
Otherwise, switching to another user may leave the new user without access to sound devices.
- When you want a user to be able to access a sound card even if he is not logged in.
- When you're running a system-wide daemon that is never logged in but still needs sound card access
When you're running an old, now unsupported version of Ubuntu which does not have proper ConsoleKit integration (TODO: Look up and specify which versions of Ubuntu that is.)
- If you're running Jackd and need realtime privileges (see below)
Open a terminal and run this command:
fgrep -ie 'audio' /etc/group
This command should not lists any normal user, in fact, everything except "pulse" (which is reserved for system-wide usage of PulseAudio, and is normally not used) is a cause for concern.
If you decide you want the user to be in the Audio group, you should know that this user can access the sound card even if he is not logged in. And at the lowest level, only one user/application can grab access to the sound card at the same time.
So assume, for example, that user A is in the audio group is logged in, and is playing music. User B wants the computer temporarily, so they switch users (via fast-user-switching, without user A logging out). Since A can still use the sound card, A's music will continue to play and user B can't access the sound card (regardless of whether B is in the audio group or not).
Or assume that B is sitting in front of the computer, not using the sound card at the moment. A, who is in the audio group, logs in remotely, and can now grab access to the sound card. Should A decide to do so, this means that B suddenly cannot play audio anymore while A is using it. A can also record from the sound cards inputs, so if the machine e g has a built-in microphone, A could in a sense "spy" on B.
Jack and real-time privileges
In recent versions of Ubuntu, when installing the Jack daemon, it optionally installs a file giving every user in the audio group real-time privileges, and possibilities to prevent program memory from being swapped. This can be necessary for running low-latency audio without drop-outs. The risk involved here is that if a malicious or badly written program makes use of these privileges, it can cause the entire system to lock up, or at least become very sluggish.
The ConsoleKit daemon automatically switches access to the audio device according to the currently logged in user. It does so by setting access rights to the sound device nodes (i e everything under /dev/snd/* ). You can verify that by downloading the acl package, then running the "getfacl /dev/snd/* " terminal command, it should list the current logged in user as having read and write access.