[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: nouser/nogroup clarification



jplejacq@quoininc.com (Jean Pierre LeJacq)  wrote on 22.07.98 in <[🔎] m0yz47o-000b9HC@mail.quoininc.com>:

> I'm not sure if I agree.  I maintain the http server, wn, for
> debian.  At startup, it switches to user nobody.  If this policy
> is adopted, it could not write to its log file.

Does it not open the log file before it switches? That ought to work.

Anyway, the reason to have nobody/nogroup (and, indeed, to use those for  
executing, but not for file ownership) is to improve security - if a  
security hole allows someone to do something as one of these daemons  
running as nobody, we want to be sure that he can't touch anything  
important.

If your logfile is changeable by user nobody, you are in essence saying  
that it isn't important, and any intruder (or, indeed, any legitimate  
anonymous user that is given "nobody" priviledges) may happily replace the  
file contents with his inventions.

That probably collides with the reasons to keep a logfile in the first  
place.

> I could modify the source code so it switches to another user,
> maybe www-data or a new user just for wn.  This may result in a
> proliferation of new users.
>
> The other option is to force use of syslog.

Those are other workable options.

MfG Kai


--  
To UNSUBSCRIBE, email to debian-policy-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org


Reply to: