Joey Hess <joeyh@debian.org> wrote:
> man:
>
> The man program (sometimes) runs as user man, so it can write cat
> pages to /var/cache/man
>
> HELP: My system has no files owned by user man, and I don't see
> the point of the user, aside from symmetry.
Wasn't there a proposal to remove it (and pre-formatted man pages along with
it) a while back? man running as set{u,g}id man is commonly regarded as a
security hazard, and preformatted man pages present an easy DoS attack. With
the mailing list archive search down, I'm having a hard time finding the
demonstration.
> www-data:
>
> HELP: Er, I should know this, but this box doesn't run apache and
> I'm offline.
Apache runs with this uid. Some people like to make their web pages owned by
this uid as well, but that's bad. Web servers don't modify web pages, they
just read them.
Apart from CGIs and other such nastiness, the web server could easily run as
nobody.
> disk:
>
> HELP: Well, I have some disk devices in /dev/ owned by the group,
> but I can't see the point. On another system, I noticed that some
> of the files lilo puts in /boot/ are also owned by disk. I
> can imagine local uses for such a group, like if you want to
> give some users in the group direct access to some hard disk.
> But these uses I've found on my systems seem to preclude
> doing that easily; if I put a user in group disk here, they'd
> have write access to the root filesystem.
I use it so I can run VMWare using a real disk. I trust me not to crack
root.
> dialout:
>
> HELP: Is this used for /dev/cua devices or something?
Probably historically mixed up with uucp, fax and dip. I don't see why four
groups for serial port access are necessary.
--
Sam Couter | Internet Engineer | http://www.topic.com.au/
sam@topic.com.au | tSA Consulting |
OpenPGP key ID: DE89C75C, available on key servers
OpenPGP fingerprint: A46B 9BB5 3148 7BEA 1F05 5BD5 8530 03AE DE89 C75C
Attachment:
pgp_oirSYH05C.pgp
Description: PGP signature