From owner-cvs-etc  Mon Oct 27 10:03:38 1997
Return-Path: <owner-cvs-etc>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id KAA10669
          for cvs-etc-outgoing; Mon, 27 Oct 1997 10:03:38 -0800 (PST)
          (envelope-from owner-cvs-etc)
Received: from ns.mt.sri.com (SRI-56K-FR.mt.net [206.127.65.42])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id KAA10645;
          Mon, 27 Oct 1997 10:03:34 -0800 (PST)
          (envelope-from nate@rocky.mt.sri.com)
Received: from rocky.mt.sri.com (rocky.mt.sri.com [206.127.76.100])
	by ns.mt.sri.com (8.8.7/8.8.7) with ESMTP id LAA14644;
	Mon, 27 Oct 1997 11:03:32 -0700 (MST)
Received: (from nate@localhost) by rocky.mt.sri.com (8.7.5/8.7.3) id LAA00863; Mon, 27 Oct 1997 11:03:30 -0700 (MST)
Date: Mon, 27 Oct 1997 11:03:30 -0700 (MST)
Message-Id: <199710271803.LAA00863@rocky.mt.sri.com>
From: Nate Williams <nate@mt.sri.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
To: =?KOI8-R?B?4c7E0sXKIP7F0s7P1w==?= <ache@nagual.pp.ru>
Cc: Nate Williams <nate@mt.sri.com>, cvs-committers@freebsd.org,
        cvs-all@freebsd.org, cvs-etc@freebsd.org
Subject: Re: cvs commit: src/etc master.passwd
In-Reply-To: <Pine.BSF.3.96.971027204745.912A-100000@lsd.relcom.eu.net>
References: <199710271718.KAA00563@rocky.mt.sri.com>
	<Pine.BSF.3.96.971027204745.912A-100000@lsd.relcom.eu.net>
X-Mailer: VM 6.29 under 19.15 XEmacs Lucid
Sender: owner-cvs-etc@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

>>>   Move nobody to daemon class, otherwise it is impossible to start fingerd
>>>   while Apache is running, it effectively eats all default class limits for
>>>   nobody

>> This seems silly.  'nobody' is nobody, and if Apache is running as
>> nobody, it should be running as daemon, or another (new) user.  nobody
>> should be running as 'nobody'. :)
> 
> There is old tradition exists to run Apache as nobody and it is better to
> not touch it.

It's *worse* to change nobody to be effectively 'daemon'.  It's alot
easier (and better) to give Apache a new user then to make nobody
'daemon'.  (Think NFS, among other things.)

> Since nobody not means normal user (and its limits) in any case, it seems
> logical to assign daemon class for it resolving all issues above. 

No, nobody means 'nobody'.  Apache is a 'daemon', so if that's not
appropriate, create a new user for it.  Either that or disable fingerd
on machines where Apache is running.



Nate