Re: Bug#80343: general: Lack of policy on which files should be owned by which user
Brian May schrieb:
> >>>>> "Hamish" == Hamish Moffatt <firstname.lastname@example.org> writes:
> Hamish> On Tue, Dec 26, 2000 at 11:13:13AM +1100, Brian May wrote:
> >> However, the idea of one UID per daemon is (IMHO) a really
> >> horrible solution, too, as you end up having more UIDs for
> >> daemons then users.
> Hamish> Why is that a problem? There are 65536 available UIDs.
> Some potential problems though:
> - easy to hide back-door entry point in /etc/passwd if lots of entries
> exist (eg. missing password field). Whether this is by mistake
> or done on purpose by an attacker is not important, but the fact it
> is harder to detect may be important.
Regular /etc/passwd checking is done by a pretty rigid scripts
usually. It really does not matter how many entries there are in
/etc/passwd. Checking it "by hand" seems pointless to me.
> - As the number of entries grows, the chance that one/more entries
> will conflict with some NIS, openldap or remote NFS system increases.
> Especially since adduser, etc, do not support NIS or openldap. I am
> not sure of the details here - can adduser assign a local user a UID
> that conflicts with that from some other source?
Then we should fix adduser and libc(PAM/NSS). I tried to get the
normal 'passwd' to change passwords on nis (well, passwdd; pam_unix
seems to be able to do this) but couldn't get it to work (I
hadn't that much time for it though).
> - harder to administrate /etc/passwd as more users exist.
Something that seems improtant to me: providing a way to use
less users/groups on some systems should be easy once every
daemon can have it's own (adduser creating system accounts with
same UID/GID comes to mind). The other way round it's harder.