Daemons as user "nobody"
Andy Shevchenko
andy at smile.org.ua
Fri Sep 7 05:47:13 UTC 2007
Hi Konstantin Ryabitsev!
On Wed, Sep 05, 2007 at 12:37:16PM -0400, Konstantin Ryabitsev wrote next:
> I recall there being something about running daemons as user "nobody."
> Is that still a policy? Cursory search in the wiki revealed nothing,
> but searching for "user nobody" is near-futile. :)
> Don't we normally create daemon-specific users?
If you create only one user to many services you pick up big security hole.
For example, you have installed httpd and mysql under nobody account. If the
cracker crashed httpd he also got access to mysql. That's why we need to
create separate user per unique service.
--
With best regards,
Andy Shevchenko. mailto: andy at smile.org.ua
More information about the fedora-devel-list
mailing list