On 2021-02-21, Tom Smyth <[email protected]> wrote: > my thinking is by having the service off by default would reduce the > default attack surface of the OS ?
The attack surface is tiny. sndiod has a pair of processes each run as their own dedicated uid, one in a chroot jail containing no files and pledged to not allow access to read/write files anyway, the other (which needs to access audio-related nodes in /dev) using unveil to restrict itself to only the necessary ones. The pledges are very restrictive. No network access unless you use -L to enable the network server. I don't honestly think it's worth going to the trouble of disabling. Look at the other software you run which isn't enabled in OpenBSD by default - that's where your attack surface is ;)
