Re: user for getting files

To: "John H. Robinson, IV" <jhriv@ucsd.edu>, debian-mentors@lists.debian.org
Subject: Re: user for getting files
From: Russell Coker <russell@coker.com.au>
Date: Sat, 23 Nov 2002 08:44:04 +0100
Message-id: <[🔎] 200211230844.04729.russell@coker.com.au>
Reply-to: Russell Coker <russell@coker.com.au>
In-reply-to: <[🔎] 20021122220602.GD29645@ucsd.edu>
References: <[🔎] 20021122190427.GA24842@blars.org> <[🔎] 20021122193651.GN27750@jdj5.mit.edu> <[🔎] 20021122220602.GD29645@ucsd.edu>

On Fri, 22 Nov 2002 23:06, John H. Robinson, IV wrote:
> you never want a file owned by nobody. services that do not need any
> elevated privedges should run as nobody, so if they are compromised,
> then can do nothing. if you download a file as nobody, then a
> compromised nobudy-running daemon can then trojan that file. bad.

Daemons should not run as nobody, they should run as their own unique UID.

A daemon running as nobody can ptrace any other daemon running as nobody and 
do other interesting things too, unless of course you are running grsec, SE 
Linux, or some other system for advanced security.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

Reply to:

References:
- user for getting files
  - From: Blars Blarson <blarson@blars.org>
- Re: user for getting files
  - From: David Roundy <droundy@abridgegame.org>
- Re: user for getting files
  - From: "John H. Robinson, IV" <jhriv@ucsd.edu>

Prev by Date: Re: j2sdk build-depends cannot be satisfied?
Next by Date: Re: the developer in me
Previous by thread: Re: user for getting files
Next by thread: the developer in me
Index(es):
- Date
- Thread