Re: Bug#80343: general: Lack of policy on which files should be owned by which user

To: debian-devel@lists.debian.org
Subject: Re: Bug#80343: general: Lack of policy on which files should be owned by which user
From: Arthur Korn <arthur@korn.ch>
Date: Tue, 26 Dec 2000 13:03:06 +0100
Message-id: <[🔎] 20001226130306.A2648@korn.ch>
Mail-followup-to: arthur, debian-devel@lists.debian.org
In-reply-to: <[🔎] 84y9x4gf03.fsf@snoopy.apana.org.au>; from bam@debian.org on Tue, Dec 26, 2000 at 12:14:52PM +1100
References: <[🔎] 20001222221312.4100.qmail@utopia> <[🔎] 0012231650490I.02330@lyta> <[🔎] 84puighwfa.fsf@snoopy.apana.org.au> <[🔎] 20001226114835.C21854@silly.cloud.net.au> <[🔎] 84y9x4gf03.fsf@snoopy.apana.org.au>

Hi

Brian May schrieb:
> >>>>> "Hamish" == Hamish Moffatt <hamish@debian.org> writes:
> 
>     Hamish> On Tue, Dec 26, 2000 at 11:13:13AM +1100, Brian May wrote:
>     >> However, the idea of one UID per daemon is (IMHO) a really
>     >> horrible solution, too, as you end up having more UIDs for
>     >> daemons then users.
> 
>     Hamish> Why is that a problem? There are 65536 available UIDs.

> Some potential problems though:
> 
> - easy to hide back-door entry point in /etc/passwd if lots of entries
> exist (eg. missing password field). Whether this is by mistake
> or done on purpose by an attacker is not important, but the fact it
> is harder to detect may be important.

Regular /etc/passwd checking is done by a pretty rigid scripts
usually. It really does not matter how many entries there are in
/etc/passwd. Checking it "by hand" seems pointless to me.

> - As the number of entries grows, the chance that one/more entries
> will conflict with some NIS, openldap or remote NFS system increases.
> Especially since adduser, etc, do not support NIS or openldap.  I am
> not sure of the details here - can adduser assign a local user a UID
> that conflicts with that from some other source?

Then we should fix adduser and libc(PAM/NSS). I tried to get the
normal 'passwd' to change passwords on nis (well, passwdd; pam_unix
seems to be able to do this) but couldn't get it to work (I
hadn't that much time for it though).

> - harder to administrate /etc/passwd as more users exist.

Something that seems improtant to me: providing a way to use
less users/groups on some systems should be easy once every
daemon can have it's own (adduser creating system accounts with
same UID/GID comes to mind). The other way round it's harder.

ciao, 2ri

Reply to:

References:
- Bug#80343: general: Lack of policy on which files should be owned by which user
  - From: "KORN Andras" <korn@chardonnay.math.bme.hu>
- Bug#80343: general: Lack of policy on which files should be owned by which user
  - From: Russell Coker <russell@coker.com.au>
- Re: Bug#80343: general: Lack of policy on which files should be owned by which user
  - From: Brian May <bam@debian.org>
- Re: Bug#80343: general: Lack of policy on which files should be owned by which user
  - From: Hamish Moffatt <hamish@debian.org>
- Re: Bug#80343: general: Lack of policy on which files should be owned by which user
  - From: Brian May <bam@debian.org>

Prev by Date: ITP: gpa -- The GNU Privacy Assistent
Next by Date: Re: looking for replacement for run (because of critical bug in
Previous by thread: Re: Bug#80343: general: Lack of policy on which files should be owned by which user
Next by thread: Close list
Index(es):
- Date
- Thread