Date: Wed, 13 Oct 1999 17:14:01 -0400 (EDT) From: Robert Watson <robert@cyrus.watson.org> To: James Wyatt <jwyatt@rwsystems.net> Cc: Greg Lewis <glewis@trc.adelaide.edu.au>, freebsd-security@freebsd.org Subject: Re: FreeSSH Message-ID: <Pine.BSF.3.96.991013170937.22726D-100000@fledge.watson.org> In-Reply-To: <Pine.BSF.4.10.9910131307410.60569-100000@bsdie.rwsystems.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 13 Oct 1999, James Wyatt wrote: > On Wed, 13 Oct 1999, Greg Lewis wrote: > > In the interests of minimising bloat we could balance its inclusion by > > deleting something like, say, uucp. > > (:-) for the uucps users) > > As another heavy UUCP user on several machine here (and owner of CD sets > for 2.26/2.28/3.2/3.3/etc...) I wouldn't mind a wel-done package if it > still used /etc/uucp and added the UUCP user. I also would not mind it > being another optinal binset on the install. This actually raises another issue that is relevant to the packages/ports/etc system--the addition of new users for services. Some services (uucp, bind, postgres, www, etc..) require new services be added to the system. Some consistency in the allocation of uid's, and a formal policy for which uid's should be used might be nice :-). Maybe one exists and I have missed it... But adding users is clearly relevant to a system security policy. Removing users is also relevant--right now many ports that require user modification don't get packages, perhaps for this reason. But if more of the world uses packages, it would be nice to know if, say, pkg_add will overwrite a current user, or end up with a uid that already owns some files, and that pkg_delete would or would not remove the user in a consistent and complete way. Right now we encourage the use of uid's over 1000 for new users, but documenting this would be a good idea "local users SHOULD be given a unique uid >= 1000 -- values less than 1000 are reserved for built-in accounts, and for add-on packages" or the like. For the purposes of NFS, it seems desirable that when a package is installed, it use the same uid consistently? I'm not sure the correct course of action is clear in my mind, but whatever it is, it is certainly security-relevant. Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.991013170937.22726D-100000>