Date: Wed, 13 Jan 1999 10:02:59 +0100 (CET) From: Jeroen Ruigrok/Asmodai <asmodai@wxs.nl> To: FreeBSD Security <security@FreeBSD.ORG> Subject: GIDs for new default system `users' Message-ID: <XFMail.990113100259.asmodai@wxs.nl>
next in thread | raw e-mail | index | archive | help
Hi guys, I have a question/remark I am very well concerned with... In the latest CURRENT /usr/src/etc/master.passwd there exist two new users, mainly tty-sandbox and kmem-sandbox. These users are given the GID of nogroup(65533). I recently had a whole discussion about user and group id's with our local Unix guru and what he told me made perfect sense to me. What he said was basically that every user or group can never be nobody or no-one since they have an entry in the group or master.passwd file. He also told me that alot of people make something like Squid and Apache members of nogroup/nobody because these aren't accounts. IMHO that's completely wrong since they belong to a group and can thus always be compromised and if alot of programs are members of one group that means a lot of potential holes. Is there something specific about nogroup btw, that it has this explicit name? If not, if it's bascially the same as nobody, then I am all in favor of moving those tty-sandbox and kmem-sandbox to their own group id's for the sake of security... Comments? --- Jeroen Ruigrok van der Werven A veil of smoke is what I am, asmodai(at)wxs.nl I wait and I wait... Network/Security Specialist <http://home.wxs.nl/~asmodai>; BSD & picoBSD: The Power to Serve <http://www.freebsd.org>; To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?XFMail.990113100259.asmodai>