Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 9 May 2023 10:05:15 +0200
From:      Felix Palmen <zirias@FreeBSD.org>
To:        ports@freebsd.org
Subject:   Re: Unprivileged default user for "tiny" daemons?
Message-ID:  <axmocd4atpwa6gckwlr6d3xwx3vduhgyzkywv6sbawtmssbgi6@o7dzq6knd4nr>
In-Reply-To: <hsletitqldfbhrucakzl3vvotkwp7ghfdpuzyty3b4yu3qdn4d@sdjyu6koet2t>
References:  <hsletitqldfbhrucakzl3vvotkwp7ghfdpuzyty3b4yu3qdn4d@sdjyu6koet2t>
next in thread | previous in thread | raw e-mail | index | archive | help 

--2wxr5cu6f77lgcic
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

* Felix Palmen <zirias@FreeBSD.org> [20230508 18:39]:
> I tend to think now that 'daemon' should really be the way to go when
> you don't need a dedicated account. Am I overlooking something? Any
> other comments?

Seems I overlooked something indeed:

#v+
$ find [14-jail] \( -user daemon -or -group daemon \)
[14-jail]/usr/sbin/lpc
[14-jail]/usr/bin/lprm
[14-jail]/usr/bin/lpr
[14-jail]/usr/bin/lpq
[14-jail]/var/rwho
[14-jail]/var/spool/mqueue
[14-jail]/var/spool/lpd
[14-jail]/var/spool/output
[14-jail]/var/spool/output/lpd
[14-jail]/var/spool/opielocks
[14-jail]/var/at/jobs
[14-jail]/var/at/spool
[14-jail]/var/msgs
#v-

So, daemon owns e.g. the print spool...

Interestingly, ou even find something owned by nobody in base:

#v+
-rw-r--r--  1 nobody  wheel  0 Jul  8  2021 /var/db/locate.database
#v-

So, takeaway is: There is no safe choice other than allocating a
dedicated UID for every single daemon, even if it doesn't need to
own/access any files? Is this really correct?

Cheers, Felix

--=20
 Felix Palmen <zirias@FreeBSD.org>     {private}   felix@palmen-it.de
 -- ports committer (mentee) --            {web}  http://palmen-it.de
 {pgp public key}  http://palmen-it.de/pub.txt
 {pgp fingerprint} 6936 13D5 5BBF 4837 B212  3ACC 54AD E006 9879 F231

--2wxr5cu6f77lgcic
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iNUEABYKAH0WIQRpNhPVW79IN7ISOsxUreAGmHnyMQUCZFn+sl8UgAAAAAAuAChp
c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0Njkz
NjEzRDU1QkJGNDgzN0IyMTIzQUNDNTRBREUwMDY5ODc5RjIzMQAKCRBUreAGmHny
MSYXAQDiQk4QgV113629nco0L+ayXGFXvM2A2h2Aga1vhfuxUAEAs0qi+TVjzjJ/
uDeF6GtDs9ZH6eMtUM8Hp70fY8qRLwI=
=LubY
-----END PGP SIGNATURE-----

--2wxr5cu6f77lgcic--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?axmocd4atpwa6gckwlr6d3xwx3vduhgyzkywv6sbawtmssbgi6>