Site Navigation

Date:      Wed, 17 Oct 2001 11:32:22 -0400 (EDT)
From:      Mikhail Teterin <mi@aldan.algebra.com>
To:        rwatson@FreeBSD.org
Cc:        ache@FreeBSD.org, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org
Subject:   Re: cvs commit: src/etc group master.passwd
Message-ID:  <200110171532.f9HFWPZ03294@aldan.algebra.com>
In-Reply-To: <Pine.NEB.3.96L.1011017100858.30170B-100000@fledge.watson.org>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

On 17 Oct, Robert Watson wrote:
> This is  good to see --  the whole nobody:nobody thing  has worried me
> for a while,  as it's used by  a number of daemons to  create a shared
> sandbox, and a  failure of one daemon  can lead to the  failure of all
> others,  as  well  as  potential  privilege  escalation  due  to  poor
> sandboxing techniques by any of those daemons.

My few pennies :) First, there are plenty of other nobody:nogroup pieces
running. Squid,  for example  and it owns  A LOT of  files on  a typical
installation.

Second, may be, it is time to start thinking about some sort of a bridge
between  the  /etc/services  and  /etc/passwd*.  So,  that  each  daemon
providing  a service  is  (or can  easily be  made)  running under  that
special user name and a (somehow derived) id. Very futuristic :)

Third,  I don't  think the  Apache  port needs  to install  the user  on
systems,  which don't  have  it  already. If  they  already have  Apache
installed (previous version),  there will be plenty of work  for them to
do anyway -- manually setting the permissions. It would be better, IMHO,
if Apache did start  for them at all (with the  uknown user error), than
if it started,  but began failing on _some_ pages.  The port should just
warn them, I think.

-- 
                         |\__-----__/|
                    _____/ :::::  :::\_____  
                   '__--( ::::::::..::)--__`	-mi
If you have a      /  _- \/  :::::::\/ -_  
serious knowledge    /   / :.   .::::\   \
about computers --      | ::::::::::::|  	Ok, let's say you broke 
keep it in a secret!   _|/ ::::____::\|_	the wall with your head
"Rules of dating",   /  /:::::/:_::\::\:.\      What are you going to
'Playboy', ? 1994   | :|  ..:(_/ \::|::|::|	do in the next cell?
                    | :|:::::. ::|: |::|.:|	      Stanislaw J. Lec
                     \ |::  :::_/::/: :|:/
                   ((___\____\____/___/___))



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200110171532.f9HFWPZ03294>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact