Date: Mon, 21 Jun 2004 18:32:25 +0200 From: "Martin P. Hellwig" <mhellwig@xs4all.nl> Cc: freebsd-current@freebsd.org Subject: Re: startup error for pflogd Message-ID: <40D70D99.6050505@xs4all.nl> In-Reply-To: <20040621170130.E9602@fw.reifenberger.com> References: <20040620134437.P94503@fw.reifenberger.com> <20040621105114.G9108@fw.reifenberger.com> <200406211639.22243.max@love2party.net> <20040621170130.E9602@fw.reifenberger.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Michael Reifenberger wrote:
> On Mon, 21 Jun 2004, Max Laier wrote:
> ...
>
>> I'll try to explain the reasoning behind this. If there are a zillion
>> processes all owned by nobody:nogroup and an attacker manages to obtain
>> control over one of them, the rest might be easy/easier prey. The
>> evildoer
>> will have better chances to obtain critical resources and maybe root
>> in the
>> end.
>>
>> This might seem like OpenBSD/paranoia, but my opinion on it is: It's
>> done so
>> why not port it over? It also helps to keep the diff down (which
>> means less
>> work).
>>
>
> Wouldn't it make sense to add all _<service> users at once then?
>
Yes voter for this one , from my limited user perspective this seems
the logical thing to do.
--
mph
$ /usr/local/etc/rc.d/bikeshed.sh
$ Usage, mix UNIX with: {politics|religion|both(=GNU/Linux)}
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?40D70D99.6050505>