Re: nouser/nogroup clarification
jplejacq@quoininc.com (Jean Pierre LeJacq) wrote on 22.07.98 in <[🔎] m0yz47o-000b9HC@mail.quoininc.com>:
> I'm not sure if I agree. I maintain the http server, wn, for
> debian. At startup, it switches to user nobody. If this policy
> is adopted, it could not write to its log file.
Does it not open the log file before it switches? That ought to work.
Anyway, the reason to have nobody/nogroup (and, indeed, to use those for
executing, but not for file ownership) is to improve security - if a
security hole allows someone to do something as one of these daemons
running as nobody, we want to be sure that he can't touch anything
important.
If your logfile is changeable by user nobody, you are in essence saying
that it isn't important, and any intruder (or, indeed, any legitimate
anonymous user that is given "nobody" priviledges) may happily replace the
file contents with his inventions.
That probably collides with the reasons to keep a logfile in the first
place.
> I could modify the source code so it switches to another user,
> maybe www-data or a new user just for wn. This may result in a
> proliferation of new users.
>
> The other option is to force use of syslog.
Those are other workable options.
MfG Kai
--
To UNSUBSCRIBE, email to debian-policy-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: