From owner-freebsd-security Wed Jan 13 12:00:49 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA17021 for freebsd-security-outgoing; Wed, 13 Jan 1999 12:00:49 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from smtp01.wxs.nl (smtp01.wxs.nl [195.121.6.61]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA16990 for ; Wed, 13 Jan 1999 12:00:38 -0800 (PST) (envelope-from asmodai@wxs.nl) Received: from daemon.ninth-circle.org ([195.121.56.150]) by smtp01.wxs.nl (Netscape Messaging Server 3.6) with ESMTP id AAA9DB; Wed, 13 Jan 1999 19:30:44 +0100 Message-ID: X-Mailer: XFMail 1.3 [p0] on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: Date: Wed, 13 Jan 1999 19:38:27 +0100 (CET) Organization: Ninth Circle Enterprises From: Jeroen Ruigrok/Asmodai To: andrewr Subject: Re: GIDs for new default system `users' Cc: FreeBSD Security Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 13-Jan-99 andrewr wrote: > > > On Wed, 13 Jan 1999, Jeroen Ruigrok/Asmodai wrote: > >> Hi guys, >> >> I have a question/remark I am very well concerned with... >> >> Is there something specific about nogroup btw, that it has this explicit >> name? If not, if it's bascially the same as nobody, then I am all in >> favor of moving those tty-sandbox and kmem-sandbox to their own group >> id's for the sake of security... > > IMHO, just like qmail, any important service that is running on a machine, > should have their own gid. I agree with you on this completely.. however > it does seem kind of crazy to just go out and be throwing gid's around to > everyone and every thing. Well, I think that depends. The average system has at least 65535 gids available, of which roughly 20-30 are in use by default. That leaves us with 65500 gids free. Of these lets say about 1000 might be in use by active users and 2000 in use by inactive users. That still leaves us with 62000 gids to use... I frankly don't see the problem, in fact I see more benefits, except from a slight administration point of view it might be more problematic at start. --- Jeroen Ruigrok van der Werven A veil of smoke is what I am, asmodai(at)wxs.nl I wait and I wait... Network/Security Specialist BSD & picoBSD: The Power to Serve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message