Contributed by tj on 2015-12-20 from the sounds-good-to-me dept.

Desktop users can feel just a bit safer now, as Alexandre Ratchov (ratchov@) has introduced some initial privilege separation to sndiod(1)

CVSROOT: /cvs Module name: src Changes by: ratchov@cvs.openbsd.org 2015/12/20 04:38:33 Modified files: usr.bin/sndiod : Makefile listen.c miofile.c siofile.c sndiod.c Added files: usr.bin/sndiod : fdpass.c fdpass.h Log message: In case of a bug in sndiod, an attacker (a local user) could run arbitrary code as user _sndio, i.e. get a second uid. Mitigate the risk by implementing initial privilege separation as follows. Break sndiod in two processes: a chroot()ed "worker" process processing input, and a non-chroot()ed "helper" process opening devices and passing descriptors to the worker. With help from benno, claudio, semarie and gilles. ok benno, semarie and tb

That's one more daemon down!