Date: Mon, 10 Feb 2003 09:59:45 -0600 From: Kim Scarborough <sluggo@unknown.nu> To: Doug Barton <DougB@FreeBSD.org> Cc: ports@FreeBSD.org Subject: Re: Problems with new port Message-ID: <3E47CC71.3090709@unknown.nu> In-Reply-To: <20030209213008.O866@12-234-22-23.pyvrag.nggov.pbz> References: <3E46E0E3.7030708@unknown.nu> <20030210014400.GM6740@vectors.cx> <3E472244.4040004@unknown.nu> <20030209213008.O866@12-234-22-23.pyvrag.nggov.pbz>
next in thread | previous in thread | raw e-mail | index | archive | help
> What security problems are you trying to solve by creating a new user, and > why do you think user nobody isn't a good solution for them? If every miscellaneous server runs under ID "nobody", then if there's a hole in any one of them, all the rest are vulnerable. Segregating each server to its own UID limits potential damage. Also, having nobody-owned files is anathema to most sysadmins (yes, I know nobody owns the locate db, but I also hear complaints about that quite often), and this port creates some files under the daemon UID. I thought this was all conventional wisdom... isn't this why apache, bind, sendmail, and sshd all have their own unique unprivileged users? -- ---------------------------------------------------------------------------- Kim Scarborough http://www.unknown.nu/kim/ ---------------------------------------------------------------------------- "I know of no man I despise more than Shakespeare; it would be positively a relief to my mind to dig him up and throw stones at him." - George Bernard Shaw ---------------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3E47CC71.3090709>