From owner-freebsd-questions Sat Aug 18 22:27:38 2001 Delivered-To: freebsd-questions@freebsd.org Received: from mnmai05.mn.mediaone.net (nic-245-c10-36.mn.mediaone.net [24.245.10.36]) by hub.freebsd.org (Postfix) with ESMTP id E1AB237B411 for ; Sat, 18 Aug 2001 22:27:34 -0700 (PDT) (envelope-from orpheus@mnmai05.mn.mediaone.net) Received: (from orpheus@localhost) by mnmai05.mn.mediaone.net (8.9.3/8.9.3-CONDOLAN) id AAA07697; Sun, 19 Aug 2001 00:27:45 -0500 Date: Sun, 19 Aug 2001 00:27:44 -0500 From: Jeffrey Dunitz To: Eric Lam Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Nobody Message-ID: <20010819002744.A7556@lemieux.condolan.asn> Reply-To: orpheus@avalon.net References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: ; from ecrim@earthlink.net on Fri, Aug 17, 2001 at 07:57:50PM +0100 X-Blargh: This message is Blargh. (lemieux) X-Crypto-Secret: 225d762b2865446cb716507e35d50ca7 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On this day Fri, Aug 17, 2001 at 07:57:50PM +0100, the following great wisdom poured forth from the mouth of Eric Lam, to the stark amazement of all who witnessed: > Would someone please explain, in detail, what does, "Loading a daemon as > nobody..." mean? I kinda get what it's for, but I would like to know what > are the pros, and the cons/limitations. Thanks. Well, exactly _how_ you do it depends on the particular daemon you're dealing with--apache, for example, lets you specify the user and group right in the config file. Things that run out of inetd have their user set in the inetd.conf file. Most things there run as root, except for things like identd and finger. The advantage, and really the only one, to running something as nobody is security. If someone is able to find an exploit for the daemon in question, to make it execute arbitrary commands or access files, they can only see or modify stuff the nobody user has access to. If you run something as root, and someone takes it over, they effectively have gained root access to your system. The limitations, of course, are that if you need to be root to do or see something that your daemon needs to do or see, you'll lose that functionality. That's really the only limitation, but it's not really so much a second-order effect as it is the _entire point_ of not running something as root. Non-unix OSes sometimes refer to this concept as "separation of roles". It's kind of like the separated areas in the hull of a submarine--if one compartment gets flooded, you can close the doors and the other compartments stay dry. I think it's good to run as few things as root as possible. Some things, like telnet (which I'd say has no place on an internet-connected system anyway, but that's just me...) pretty much _need_ to be run as root, or they won't really work. Things like the daytime service can be changed to run as nobody, but I'm somewhat certain that they run as root anyway, because they're internal. But running something like a finger daemon as root would be just asking for trouble; there have been some exploits against fingerd, so if it runs as root, you might be able to tickle it into giving you a root shell. Being able to tickle a system into giving you a nobody shell is way less fun and interesting than root. :) Hope this sheds some light. BTW, if you're asking about this, you might also want to look into chroot jails for things like DNS. Very helpful. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Jeffrey Dunitz | unix | orpheus@avalon.net BOFH Emeritus, Avalon Networks | perl | (651) 686-9974 / http://www.avalon.net/~orpheus | net/sec | Eagan, MN _ / To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message