Date: Tue, 16 Aug 2011 14:31:34 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Chuck Swiger <cswiger@mac.com> Cc: FreeBSD Questions <freebsd-questions@freebsd.org>, Chris Brennan <xaero@xaerolimit.net> Subject: Re: unprivledged users (for a service) Message-ID: <4E4A7136.7040203@infracaninophile.co.uk> In-Reply-To: <238F0CF5-33DC-4F9A-88E3-F8356E125573@mac.com> References: <20110815163659.GA22081@gmail.com> <238F0CF5-33DC-4F9A-88E3-F8356E125573@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig83B3C751BCE091AE19774CD5 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 15/08/2011 17:42, Chuck Swiger wrote: > On Aug 15, 2011, at 9:37 AM, Chris Brennan wrote: >> > It's been a while since I've had to do this and the drive that conta= ined=20 >> > all of my notes is dead, along with the backup (I was actually lucky= to=20 >> > recover my home drive before it also failed but my notes were not=20 >> > there). I cannot for the life of me remember how to properly add an = >> > unprivledged user that will only be used for running a specific syst= em=20 >> > service. So it doesn't need a login shell or $HOME. > Add a user and set the shell to /bin/false or perhaps /sbin/nologin; fo= r $HOME set it to /var/empty or /tmp, perhaps. Good advice, except... for this sort of user that exists solely to run various processes, generally it is preferable for them *not* to be able to write to their home directory. Especially if the software concerned is exposed to the internet. The reasoning here is that if there is, say, a buffer overflow attack against your software, then an attacker can remotely inject and run various sorts of shell-code exploits. If they can change arbitrary files in the accounts home directory, then they can relatively simply get a login shell. So, /tmp not a good idea. / is actually a pretty good choice, and similarly /var/empty (which is specifically designed for this sort of thing.) Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matthew@infracaninophile.co.uk Kent, CT11 9PW --------------enig83B3C751BCE091AE19774CD5 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk5KcT4ACgkQ8Mjk52CukIx4UgCdG7NIKRYkOm6HrPczMPf7u2EE btoAnilSO6Q6XBtYw9Q0dWv1cV8RoRgb =Pp0b -----END PGP SIGNATURE----- --------------enig83B3C751BCE091AE19774CD5--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4E4A7136.7040203>