Re: Logs and Permissions for Daemons

[Herbert Xu <herbert@gondor.apana.org.au>]

On Sat, Nov 13, 1999 at 08:34:52PM -0800, Joey Hess wrote:
> Herbert Xu wrote:
> > There is nothing wrong with creating a new user when the alternative is
> > running as root.
> 
> Yes there is. We have a scant number of dynamically allocated low user ID's,
> and your rwhod, telnetd, identd, etc users are eating them rapidly. Please
> think ahead instead of blindly creating new users, and please notice we have
> a single "daemon" user already made that is meant to be there so random
> daemons can run as it, not root.

There is a very good reason that those things created new users, because they
have to read/write files owned by those users.

The advantage of this is that when one of the users is compromised (say
identd), it will not affect the other daemons.

As to the fact that we only have a limited number of users, I agree it's a
problem.  Perhaps we should address it by allocating new chunks in the uid
space for system users.

I do use the nobody user when the daemon in question does not have to access
files on the file system that is restricted in some way, e.g., rwalld.
-- 
Debian GNU/Linux 2.1 is out! ( http://www.debian.org/ )
Email:  Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt