Re: one user per daemon?

[Andrew Pimlott <andrew@pimlott.net>]

On Sat, Jul 05, 2003 at 02:26:24PM +0200, Christian Kujau wrote:
> in another (german) newsgroup i saw a comment, being a bit upset about 
> the general-every-distribution behaviour to install new daemons under a 
> single user id. to be clear, if debconf/dpkg/whatever set up e.g. ntpd, 
> the default is that "root" starts the daemon. or user "nobody" does, but 
> another daemon was configured to be run from "nobody" too. the same 
> applies for user "daemon". only a few daemons are run by other users by 
> default, apache, snort or squid.

You're right that this is rather ridiculous.  For the trivial cost
of a new user, we get a significant gain in compartmentalization.

I wish there were something in policy strongly recommending creating
a new user for every system service.

Andrew