First, note that on Gentoo festival used to run as root. This is why this was a much more severe issue there.
On Debian we have the daemon running as nobody:audio. The patch now seems to start the daemon as festival:festival. This is certainly an improvement, but I am uncertain whether this will work, because the daemon might need group audio to work. On the other hand, starting it as festival:audio would still be problematic (but might be acceptable if documented). There is also the problem that it can be configured to allow non-local connections (and the README.Debian describes how to do this). This would allow remote code execution. The cleanest solution would be to disable system(). If that is not possible due to the way festival works, there needs to be a big warning that all users who can connect to it need to be trusted. Cheers, Stefan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
