[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [Lsb-appbat] RE: Running appbat pkgs in LSB-si

At 2002/8/8 11:03-0400  Jim Kingdon writes:
> The footnote for "daemon" says:
> 
>     The 'daemon' UID/GID was used as an unprivileged UID/GID for daemons
>     to execute under in order to limit their access to the system.
>     Generally daemons should now run under individual UID/GIDs in order to
>     further partition daemons from one another.
> 
> Although "nobody" hasn't been quite the security nightmare that
> "daemon" has (as far as I know), it seems a bit odd to overload the
> NFS thing (which doesn't even seem to apply to my Red Hat system, as
> nobody is UID 99 rather than 65534 or whatever it is in the NFS case)
> and the Apache thing.

Although the use of the nobody user is unlikely to cause compatability
problems, use of the nobody group will (some systems such as Debian
have nogroup instead).

So I think we should follow the spec in creating uids/gids for lsb
apps - and it is more secure than for all server like programs to
share the same uid/gid.

Chris
-- 
cyeoh@au.ibm.com
IBM OzLabs Linux Development Group
Canberra, Australia
Reply to: