On 11/2/2010 3:09 PM, Carlos Mennens wrote: [snip] > > man:x:6:12:man:/var/cache/man:/bin/sh man has its own user. Really! > lp:x:7:7:lp:/var/spool/lpd:/bin/sh For printer daemon, as well as a few other things > mail:x:8:8:mail:/var/mail:/bin/sh system mail needs a user. > news:x:9:9:news:/var/spool/news:/bin/sh linked with above, usually > uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh Ditto. > proxy:x:13:13:proxy:/bin:/bin/sh Not sure. > www-data:x:33:33:www-data:/var/www:/bin/sh Apache2 will run as this user. Most /any/ httpd will. > backup:x:34:34:backup:/var/backups:/bin/sh used for Bacula, DeJa Dup and friends. > list:x:38:38:Mailing List Manager:/var/list:/bin/sh mailman, mlmmj,etc. > irc:x:39:39:ircd:/var/run/ircd:/bin/sh used by ircd. > gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh GNATS runs as a user. > libuuid:x:100:101::/var/lib/libuuid:/bin/sh LibUUID needs a user to run as to keep track of some things IIRC. I may be wrong. > > I'm trying to understand why Debian developers slip in 'games', 'lp', > 'news', 'uucp', 'www-data', 'list', 'irc', etc etc etc. Now if I > install 'Apache', 'CUPS', 'Exim/Postfix', etc etc etc then I > understand why those accounts would appear but why do these accounts > appear in a fresh minimal installation with no trace of their > respected packages? I also label them as 'orphaned' because if you try > to remove the user and their default home directory, you get an error > that those directories don't exist. For example: They aren't orphaned at all. They're just /user declarations/ used by some daemons, startup scripts, etc. There's also users like Nobody. Nobody exists, but isn't anyone. > Is there a way to understand why Debian is configured so by default? > Are there official developers that browse this list that could give > insight to maybe a security reason or any other as to why we have > these 'orphaned' accounts in a fresh / new minimal install? Mainly because there's so many things that CAN use these users. Not every service gets run as root, nor should it. > Thanks! > > Many of you would just say, "...just remove what you do want" however > in my opinion, the last thing someone needs to do after installing a > fresh system is start removing stuff. Users in *nix and friends are a way to seperate out who can touch what. This is a security thing, and something that isn't really all that new or unique to a Debian box. Here's a fresh Fedora install: root:x:0:0:root:/root:/bin/zsh daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh indrora:x:1000:1000:Morgan Gangwere,,,:/home/indrora:/bin/zsh sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin *nix and its friends use LOTS of users to do LOTS of things. I make users on a regular basis when I do something that should be chroot'd or otherwise kept in check. -- Morgan Gangwere PGP Key at http://indrora.homelinux.org/gpg_key.asc >> Why? > Because it breaks the logical flow of conversation, plus makes messages unreadable. >>> Top-Posting is evil.
Attachment:
signature.asc
Description: OpenPGP digital signature