Re: Bug#80343: general: Lack of policy on which files should be owned by which user
>>>>> "Russell" == Russell Coker <email@example.com> writes:
Russell> On Saturday 23 December 2000 09:13, KORN Andras wrote:
>> I feel that there exists a general confusion among some Debian
>> developers as to what user ids such as 'nobody' should be used
>> for. I suggest that the policy be updated with relevant advice.
Russell> Nobody should never be used. If you use nobody then
Russell> someone else will choose to use it for the same reasons
Russell> and you end up with two programs sharing the same UID.
Russell> The only solution is to have nothing use it as a matter
Russell> of policy.
Thats my opinion too. Any process run as "nobody" can be controlled by
another process run by "nobody" that has been compromised, via
signals, looking for secrets in core dump files, strace, gdb,
etc. (strace and gdb can both attach to a running program).
However, the idea of one UID per daemon is (IMHO) a really horrible
solution, too, as you end up having more UIDs for daemons then
users. The best solution, capabilities, is yet to be implemented in
the relevant software.
As for the issue that www-data shouldn't own any data files (now that
is a contradiction in names), that is less clear cut. People want
web pages to be
a) private, so access can be controlled via apache.
b) editable by anyone in the www-data group can make changes.
c) read-only to the web server.
which is a conflicting list of goals unless ACLs are supported.
Brian May <firstname.lastname@example.org>