Re: New user for logcheck
>>>>> "Michael" == Michael Stone <firstname.lastname@example.org> writes:
Michael> On Sat, Nov 20, 1999 at 04:09:28PM +0000, Rene Mayrhofer wrote:
>> Logcheck is a new package in potato and it's purpose is to
>> check the system log files for unusal parts. It is a shell
>> script that is run from cron.
>> I got a suggestion for the logcheck package that I like. The
>> suggestion was that logcheck should run as an own uid with the
>> gid 'adm' (so that it can read the system log files). That
>> would mean that a new uid is needed (or does it make sense to
>> use an existing one - I don't think so).
>> Would that be a problem ?
Michael> What does the new userid buy us? Does the script accept
Michael> user input? Does it create files? What about running it
Michael> as nobody?
What about the "Re: Logs and Permissions for Daemons" thread recently
on *this* mailing lists, where people made comments like:
(sorry for quoting these points again, but I am concerned that some
people may have missed them - and this topic seems to come up
regularly on this mailing list - perhaps we need a FAQ or something?
Does one exist?)
>>>>> "Herbert" == Herbert Xu <email@example.com> writes:
Herbert> There is a very good reason that those things created new
Herbert> users, because they have to read/write files owned by
Herbert> those users.
Herbert> The advantage of this is that when one of the users is
Herbert> compromised (say identd), it will not affect the other
Herbert> As to the fact that we only have a limited number of
Herbert> users, I agree it's a problem. Perhaps we should address
Herbert> it by allocating new chunks in the uid space for system
Herbert> I do use the nobody user when the daemon in question does
Herbert> not have to access files on the file system that is
Herbert> restricted in some way, e.g., rwalld.
>>>>> "Bernd" == Bernd Eckenfels <firstname.lastname@example.org> writes:
Bernd> This is not safe, since one run-away daemon can modify
Bernd> different daemons logs or contrl the process with
Bernd> signals. Therefore daemon user is considered as harmfull as
Bernd> nobody user.
>>>>> "Wichert" == Wichert Akkerman <email@example.com> writes:
Wichert> I disagree here. From a security perspective it's really
Wichert> good if every daemon gets its own user. That way if one
Wichert> daemon is compromised the attacker cannot mess around
Wichert> with others. And there are lots of interesting ways to
Wichert> mess with other daemons.. (ptrace and see passwords?
Wichert> insert your own code? stop it and go for the simple
Wichert> DoS-attack? etc. etc.)
Wichert> Those daemons should probably get an entry in the static
Wichert> 60000-64999 range.
Brian May <firstname.lastname@example.org>