system users/groups (was: nobody/nogroup - ITP maildir-bulletin)
On Thu, Oct 21, 1999 at 12:44:13PM +0200, Russell Coker wrote:
> However we don't want to have too many system users and groups...
On the contrary, we should have as many as is practical.
- There is no shortage of dynamic system user and group ids.
- Every privilege boundaries we establish limits the potential damage of a
bug or security breach.
- There is rarely any loss in flexibility, since system programs know ahead
of time what files they need special privileges for.
To facilitate the construction of privilege boundaries, I believe that
Debian should establish a central registry (global to the Debian project) of
system groups and users, along with a careful explanation of how each
user/group is intended to be used in a default installation.
- Eliminates the risk of two packages using the same user/group.
- Minimizes the risk of developers misusing common users/groups.
- Allows users to understand how privileges are being managed on their
systems (for example, I still don't know what most of the default users
and groups do).
- Minimizes the risk of users misusing sytem users/groups (for example, many
users make their web sites owned by the "www-data"[1] user or group, which
is exactly what they shouldn't do[2]).
- Facilitates audits.
Andrew
[1] While on the topic, may we _please_ rename this user/group? The dash
has confused programs (the smail config script, about which I posted a bug)
and created pointless hassle (with postgresql, IIRC). It's really just
tasteless to use non alphanumeric characters.
[2] This allows the miscreant who cracked your web server to deface your web
site.
--
As the microkernel unix people used to say before they finally died out, "We
are within X% of the performance of the original".
- Alan Cox
Reply to: