Previously Joey Hess wrote: > But a lot of these daemons that suddently have their own users don't read > any files owned by themselves, so there's no reason they shouldn't just run > as daemon. I disagree here. From a security perspective it's really good if every daemon gets its own user. That way if one daemon is compromised the attacker cannot mess around with others. And there are lots of interesting ways to mess with other daemons.. (ptrace and see passwords? insert your own code? stop it and go for the simple DoS-attack? etc. etc.) Those daemons should probably get an entry in the static 60000-64999 range. Wichert. -- ________________________________________________________________ / Generally uninteresting signature - ignore at your convenience \ | wichert@liacs.nl http://www.liacs.nl/~wichert/ | | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D |
Attachment:
pgpxwKlpWPSZB.pgp
Description: PGP signature