This one uses POSIX capabilities to drop all root privs except for CAP_SYS_NICE, therefore, this is reasonably secure.

There is one catch. For some reason a suid root app cannot read /proc/self/exe so relocatability isn't used, and anyway it'd be insecure even if it could as you could hard link wineserver then trick it into loading a malicious library relative to $ORIGIN.

I think I will investigate this a bit more, but perhaps later. For now this is fine for RPMs and packages etc, which install to /usr, as they can simply "chmod +s wineserver" and have apps with solid audio.

thanks -mike