diff --git a/usr.sbin/virtual_oss/virtual_oss/main.c b/usr.sbin/virtual_oss/virtual_oss/main.c index 6a56adbc607..1d24be89f3d 100644 --- a/usr.sbin/virtual_oss/virtual_oss/main.c +++ b/usr.sbin/virtual_oss/virtual_oss/main.c @@ -37,6 +37,7 @@ #include #include +#include #include #include #include @@ -1620,7 +1621,6 @@ int voss_is_recording = 1; int voss_has_synchronization; volatile sig_atomic_t voss_exit = 0; -static int voss_dsp_perm = 0666; static int voss_do_background; static int voss_baseclone = 0; static const char *voss_pid_path; @@ -1864,7 +1864,24 @@ dup_profile(vprofile_t *pvp, int *pamp, int pol, int rx_mute, { vprofile_t *ptr; struct cuse_dev *pdev; - int x; + struct group *gr; + gid_t gid; + int x, perm; + + if (!is_client) { + /* + * Loopback devices can be used only by users who part of the + * audio group, to avoid unintended snooping by unprivileged + * users. + */ + if ((gr = getgrnam("audio")) == NULL) + return ("getgrnam() failed"); + gid = gr->gr_gid; + perm = 0660; + } else { + gid = 0; + perm = 0666; + } rx_mute = rx_mute ? 1 : 0; tx_mute = tx_mute ? 1 : 0; @@ -1918,7 +1935,7 @@ dup_profile(vprofile_t *pvp, int *pamp, int pol, int rx_mute, /* create DSP character device */ pdev = cuse_dev_create(&vclient_oss_methods, ptr, NULL, - 0, 0, voss_dsp_perm, ptr->oss_name); + 0, gid, perm, ptr->oss_name); if (pdev == NULL) { free(ptr); return ("Could not create CUSE DSP device"); @@ -1935,7 +1952,7 @@ dup_profile(vprofile_t *pvp, int *pamp, int pol, int rx_mute, /* create WAV device */ if (ptr->wav_name[0] != 0) { pdev = cuse_dev_create(&vclient_wav_methods, ptr, NULL, - 0, 0, voss_dsp_perm, ptr->wav_name); + 0, gid, perm, ptr->wav_name); if (pdev == NULL) { free(ptr); return ("Could not create CUSE WAV device"); @@ -2612,7 +2629,7 @@ main(int argc, char **argv) if (voss_ctl_device[0] != 0) { pdev = cuse_dev_create(&vctl_methods, NULL, NULL, - 0, 0, voss_dsp_perm, voss_ctl_device); + 0, 0, 0666, voss_ctl_device); if (pdev == NULL) errx(EX_USAGE, "Could not create '/dev/%s'", voss_ctl_device); diff --git a/usr.sbin/virtual_oss/virtual_oss/virtual_oss.8 b/usr.sbin/virtual_oss/virtual_oss/virtual_oss.8 index b607f45cd36..b9dc8fd86a3 100644 --- a/usr.sbin/virtual_oss/virtual_oss/virtual_oss.8 +++ b/usr.sbin/virtual_oss/virtual_oss/virtual_oss.8 @@ -23,7 +23,7 @@ .\" SUCH DAMAGE. .\" .\" -.Dd April 17, 2026 +.Dd May 7, 2026 .Dt VIRTUAL_OSS 8 .Os .Sh NAME @@ -162,6 +162,8 @@ This option should be specified before the -d and -l options. Create an OSS device by given name. .It Fl l Ar name Create a loopback OSS device by given name. +Users have to be part of the audio group to access this device. +This is a security measure to avoid unintended snooping by unprivileged users. .It Fl L Ar name Create a loopback OSS device which acts as a master device. This option is used in conjunction with -f /dev/null .