Thanks Stuart, appreciate your time on this, and explanation of the sndiod design
it was a case of I dont understand, dont use so I just disable. and then I proceeded to ask out of turn shouldn't everyone else disable because I dont understand or use it my self :/ Re attack surface / risk of other software that I use on top of OpenBSD I couldn't agree more with you Thanks again.. On Sun, 21 Feb 2021 at 18:42, Stuart Henderson <[email protected]> wrote: > > On 2021-02-21, Tom Smyth <[email protected]> wrote: > > my thinking is by having the service off by default would reduce the > > default attack surface of the OS ? > > The attack surface is tiny. > > sndiod has a pair of processes each run as their own dedicated uid, one > in a chroot jail containing no files and pledged to not allow access to > read/write files anyway, the other (which needs to access audio-related > nodes in /dev) using unveil to restrict itself to only the necessary > ones. The pledges are very restrictive. No network access unless you use > -L to enable the network server. > > I don't honestly think it's worth going to the trouble of disabling. > Look at the other software you run which isn't enabled in OpenBSD by > default - that's where your attack surface is ;) > > -- Kindest regards, Tom Smyth.
