From owner-freebsd-security Wed Jan 13 00:56:09 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA05645 for freebsd-security-outgoing; Wed, 13 Jan 1999 00:56:09 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from smtp01.wxs.nl (smtp01.wxs.nl [195.121.6.61]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA05627 for ; Wed, 13 Jan 1999 00:56:07 -0800 (PST) (envelope-from asmodai@wxs.nl) Received: from daemon.ninth-circle.org ([195.121.56.43]) by smtp01.wxs.nl (Netscape Messaging Server 3.6) with ESMTP id AAA2592 for ; Wed, 13 Jan 1999 09:55:29 +0100 Message-ID: X-Mailer: XFMail 1.3 [p0] on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 Date: Wed, 13 Jan 1999 10:02:59 +0100 (CET) Organization: Ninth Circle Enterprises From: Jeroen Ruigrok/Asmodai To: FreeBSD Security Subject: GIDs for new default system `users' Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi guys, I have a question/remark I am very well concerned with... In the latest CURRENT /usr/src/etc/master.passwd there exist two new users, mainly tty-sandbox and kmem-sandbox. These users are given the GID of nogroup(65533). I recently had a whole discussion about user and group id's with our local Unix guru and what he told me made perfect sense to me. What he said was basically that every user or group can never be nobody or no-one since they have an entry in the group or master.passwd file. He also told me that alot of people make something like Squid and Apache members of nogroup/nobody because these aren't accounts. IMHO that's completely wrong since they belong to a group and can thus always be compromised and if alot of programs are members of one group that means a lot of potential holes. Is there something specific about nogroup btw, that it has this explicit name? If not, if it's bascially the same as nobody, then I am all in favor of moving those tty-sandbox and kmem-sandbox to their own group id's for the sake of security... Comments? --- Jeroen Ruigrok van der Werven A veil of smoke is what I am, asmodai(at)wxs.nl I wait and I wait... Network/Security Specialist BSD & picoBSD: The Power to Serve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message