In case of a bug in sndiod, an attacker (a local user) could run - wireguard-openbsd - WireGuard implementation for the OpenBSD kernel

diff options

author	ratchov <ratchov@openbsd.org>	2015-12-20 11:38:33 +0000
committer	ratchov <ratchov@openbsd.org>	2015-12-20 11:38:33 +0000
commit	395f8c555ed4a91b57463a14328661f299867cd8 (patch)
tree	511d6ba41079942f6cfec9ab0b0353b27329a6c9 /lib/libsqlite3/src
parent	Expose internal functions necessary to open audio devices and midi (diff)
download	wireguard-openbsd-395f8c555ed4a91b57463a14328661f299867cd8.tar.xz wireguard-openbsd-395f8c555ed4a91b57463a14328661f299867cd8.zip

In case of a bug in sndiod, an attacker (a local user) could run

arbitrary code as user _sndio, i.e. get a second uid. Mitigate the risk by implementing initial privilege separation as follows. Break sndiod in two processes: a chroot()ed "worker" process processing input, and a non-chroot()ed "helper" process opening devices and passing descriptors to the worker. With help from benno, claudio, semarie and gilles. ok benno, semarie and tb

Diffstat (limited to 'lib/libsqlite3/src')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: