CVSROOT: /cvs Module name: src Changes by: ratc...@cvs.openbsd.org 2015/12/20 04:38:33
Modified files: usr.bin/sndiod : Makefile listen.c miofile.c siofile.c sndiod.c Added files: usr.bin/sndiod : fdpass.c fdpass.h Log message: In case of a bug in sndiod, an attacker (a local user) could run arbitrary code as user _sndio, i.e. get a second uid. Mitigate the risk by implementing initial privilege separation as follows. Break sndiod in two processes: a chroot()ed "worker" process processing input, and a non-chroot()ed "helper" process opening devices and passing descriptors to the worker. With help from benno, claudio, semarie and gilles. ok benno, semarie and tb